What is the process "bash -o stratum+tcp://mine.cc.st:3333 -0 geox.1:x -B" all about?
Environment
- Red Hat Enterprise Linux 6
Issue
- While monitoring this system, found one process
bash -o stratum+tcp://mine.cc.st:3333 -0 geox.1:x -Bconsuming almost 100% of CPUs from the machine, what is this process about?
Resolution
- The following process looks like a
bitcoin miningprocess. Red Hat doesn't ship this
bash -o stratum+tcp://mine.cc.st:3333 -0 geox.1:x -B
- For more information look at the these links. Wikipedia, Bitcoin Main Page, Bitcoin Mining
Disclaimer: Please note that above links are not verified and don't belong to Red Hat. So we don't guarantee working of them. Those are given only for information purpose. - Its recommended not to use this on production machine.
- It also looks like a
trojan, so stop this process by root user and check out all thecrontabentries and remove the suspiciouscrontabsimmediately. - Contact Red Hat Technical Support for the changes in the system.
Here are some recommendations from Red Hat.
(a) Enable software Firewall IPtables and configure it according to the setup.
(b) Also keep SELinux enabled/ in enforcing mode.
(c) Instead of using root user directly, configure sudo users and allocate the permissions for execution of binaries to particular users.
(d) Get audit daemon configured to monitor particular commands. A small example is given here.
Root Cause
- A suspicious
crontabwas installed using root user credentials.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments