So this post is a follow up to the first in this series. In the first post I went over the data on attacks in the wild focusing on prevalence and motivations, this post is more of a focus on technical indicators and methods to detected and prevent this from happening on your servers/network. And I’ve also released a tool called minerchk that can be deployed on servers you suspect that will search for the indicators outlined here.
One of the best proactive steps you can deploy is black holing the DNS for mining pools on you network. I wrote up a prior tutorial on how you can do this if you are using pfSense here. I’ve put together a list of pools that I’ve data on being used for malicious mining you can download it from here:
Observed in malicious activity:
All currently known pools:
The next step would be to use proactive network monitoring to pick up if mining traffic exists in your network, I’ve written up some snort rules based on the ports used by the mining pools, remember you may need to tune these for your environment if you have any of these ports in use for a legitimate service.
You can get the snort rules here: https://github.com/Hestat/minerchk/blob/master/monero-snort.rules
The following indicators are implemented in the minerchk script available here: https://github.com/Hestat/minerchk
So let’s say you do have an infection how would you know. In many cases load on the server will be your most likely indicator. And if running at a lower privilege then you will likely find an indicator or the miner in /tmp or /dev/shm. If run as root then it will be more likely to be a daemonized process, you can see some examples below:
[1563 18:27:40 ~]# cat /tmp/phpXBaIHk.c
threads = 1
You may learn of this either by you actively going to the site or getting report from users of strange work station behavior like heavy fan ramp up or slow response on their workstation when visiting your site.
var miner = new CoinHive.User('<site-key>', 'john-doe');
If you are infected look to see if you can obtain the Monero wallet key as you can use this to identify the malicious miner and submit a request to ban them and lock their funds at teh pool they have been participating in.
Do a little googling and you can locate the public website and emails to contact admins.
If you are unable to enforce blacklisting of domains upstream of your server enforce it locally by routing mining pool domains to localhost.
So I expect to revise this as I get more data, if you got some into your like to share or questions feel free to reach out at twitter @laskow26.