Investigating the hack
I ran into a WordPress site that was running on a VPS and using a large amount of CPU. Let’s open htop and see what’s going on!
Turns out an account brakes 70599 was running cpuminer-sse2 and cpuminer-avx2 as you can see from the screenshot above.
So let’s see if we can gather some more information!
Running lsof provides a list of open files, and as you can see the miner was plopped into /tmp and executed then deleted.
Securing /tmp with noexec
Let’s take a look at /tmp by running the following command.
So we can see leftovers from the installation of the cpuminer, as well as binaries and scripts! This server is running on the GridPane platform, and unfortunately, they don’t mount /tmp as non-executable. So let’s protect /tmp so no code can be executed from /tmp
If you try and then run a script or program from /tmp it will fail with permission denied. This will however be lost on reboot, so let’s add something to /etc/fstab so this persists upon reboot.
You should now see that /tmp is mounted with noexec!
Protecting the /tmp folder from being able to run executable programs from has been something that cPanel has done for years. I’ve submitted a feature request, so please upvote it 🙂
What else can we do? There doesn’t look to be a way for the attacker to escalate privileges to root, so for now let’s just suspend the account and lock the password.
Another issue I have with GridPane is that even though the site is disabled, the system user can’t be disabled. I’ve locked the use as per the command line above, but someone can still sftp into the account with an ssh key if added to the .ssh/authorized_keys file. I submitted a feature request, please upvote.