System Hacked, Bitcoin miner installed


I had my system hacked, and a miner installed.
I was running the latest version and strong passwords.

I am not looking to get it fixed, rather I want to find out how they did it, and fix it so it does not happen to others.
I attemted to contact a developer about this but he said to use the forums.

The pbx was on a vm so I have taken a snapshot of it, and removed network access. I can provide a copy of the virtual hdd, so if anyone wants to sandbox it and do some digging let me know.

I first noticed that my cpu usage was at 100%
I logged in and in top I saw “/tmp/tester -o stratum+tcp:// -u weedee.1 -p x --algo scry”

I looked in /tmp/tester and I see a whole new user! Bash history and all!

Now I have no idea how they got in. The scary part is that I rarely use it.

Anyone have any Idea what I should do next?

Let’s start with what versions of FreePBX, Asterisk how it was installed (distro or on another OS), if a distro which one and version, if scratch what OS and version.

What ports do you have open to the Internet? What is your network topology?

A bit of a whoopsy there if you use the FreePBX distro:-

5.211.65-11 FreePBX Distro,
All Ports are open. Internet->PBX
There is no modem or router, only a switch.

Yep, that looks like it.

Thanks for the help.
Odd how they say to disable it and don’t have an update.

What service did we need that for?

Only nagios would use it, strange as nagios it is not part of the distro but the expolit is yet installed and opened to the world, go figure . . .

Yeah exposing the FreePBX interface to the world is not cool. In this day of putty proxies and sysadmin pro letting you run ARI on a different port there just is no justification.

You think I would have learned with the NTP ddos attack my pbx gave. It took up my entire 1gbps line.

I had a fancy hw firewall but it broke.

Lesson learned, Setting up IPtables.

Take a look at CSF it adds that basic ip-tables functionality and a lot more with almost zero effort.

Will do, thanks.

They should post this on the site.

opsview is a package that contains nagios. It was included over 2 years ago after numerous users had requested it. In the past it was always chkconfiged off so it would not start at boot but it appears a newer version now auto chkconfigs it on at install time.

If you do not use it just follow the directions to turn it off.

Same happened with our pbxs.
New user ‘nagios’ which is running “.HOLDMYWEEVE” till 100% cpu.
We killed the user with "pkill -KILL -u nagios"
And than removed user nagios with: "userdel -r nagios"
Then the script stops.

I was digging in logs and files, but still can not put my finger on it exactly.
We know exposing the web interface is not the brightest idea, but this is very awkword.

Als FOP2 breaks down after this attack.

Re my suggestion in post #10, CSF also includes LFD, (login failure detection) between the two they provide quite the pizza list:-

so processes consuming too much resource would be quickly noted and you would be emailed. By it’s default firwewall rules the attacker would never have been let in in the first place. Add rkhunter and you are much better protected from services you didn’t even know you had running than previously.

I have red that you where busy with Dicko to integrate it in the Distro.
Sadly this is not possible right now, because of the license type.

Using webmin for the configuration and afterwards closing the webmin is the best for now (I think)

Thanks Dicko,
We are already looking for CSF solutions. But I see that webmin would be nice to configure it.
We will also look at rkhunter, we have heard great story’s about this malware scanner.

Yes, the webmin inerface is nice, as is the cellphone app, but for “belt and braces” security concerns, change the port it runs on in /etc/webmin/miniserv.conf and only run it when you need to.

The audit process will also have all sorts of recommendations for further securing your box, one is to make /tmp and /usr/tmp ephemeral, that would have stopped these attacks on reboot.

And rkhuneter would have emailed you that night when a new unix user was created.

I also red your article:

Is there a default way to install it in FreePBX distro? like “yum install …”?
Or just install it the way rkhunter website tells us?

We have had a internal ticket here for along time to work with CSF as we use it with some hosting stuff but our big problem has been the lack of any true license. Its not a open source license so it can not be included in FreePBX and based on the license we are not comfortable letting something like Sysadmin Module manage it since that is a commercial license.