This Reddit remark posted to the CentOS subreddit is typical. An admin observed that two servers have been contaminated with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wished assist investigating the trigger.
“I solely grew to become conscious of the malware as a result of my monitoring setup alerted me to 100% CPU utilization,” the admin wrote within the April 2023 submit. “Nonetheless, the method would cease instantly after I logged in through SSH or console. As quickly as I logged out, the malware would resume working inside just a few seconds or minutes.” The admin continued:
I’ve tried to take away the malware by following the steps outlined in different boards, however to no avail. The malware all the time manages to restart as soon as I log off. I’ve additionally searched all the system for the string “perfcc” and located the information listed beneath. Nonetheless, eradicating them didn’t resolve the problem. because it preserve respawn on every time rebooted.
Different discussions embrace: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese language), svrforum (Korean), exabytes, virtualmin, serverfault and plenty of others.
After exploiting a vulnerability or misconfiguration, the exploit code downloads the primary payload from a server, which, generally, has been hacked by the attacker and transformed right into a channel for distributing the malware anonymously. An assault that focused the researchers’ honeypot named the payload httpd. As soon as executed, the file copies itself from reminiscence to a brand new location within the /temp listing, runs it, after which terminates the unique course of and deletes the downloaded binary.
As soon as moved to the /tmp listing, the file executes underneath a distinct identify, which mimics the identify of a recognized Linux course of. The file hosted on the honeypot was named sh. From there, the file establishes a neighborhood command-and-control course of and makes an attempt to realize root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a extensively used open supply multimedia framework.
This Reddit remark posted to the CentOS subreddit is typical. An admin observed that two servers have been contaminated with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wished assist investigating the trigger.
“I solely grew to become conscious of the malware as a result of my monitoring setup alerted me to 100% CPU utilization,” the admin wrote within the April 2023 submit. “Nonetheless, the method would cease instantly after I logged in through SSH or console. As quickly as I logged out, the malware would resume working inside just a few seconds or minutes.” The admin continued:
I’ve tried to take away the malware by following the steps outlined in different boards, however to no avail. The malware all the time manages to restart as soon as I log off. I’ve additionally searched all the system for the string “perfcc” and located the information listed beneath. Nonetheless, eradicating them didn’t resolve the problem. because it preserve respawn on every time rebooted.
Different discussions embrace: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese language), svrforum (Korean), exabytes, virtualmin, serverfault and plenty of others.
After exploiting a vulnerability or misconfiguration, the exploit code downloads the primary payload from a server, which, generally, has been hacked by the attacker and transformed right into a channel for distributing the malware anonymously. An assault that focused the researchers’ honeypot named the payload httpd. As soon as executed, the file copies itself from reminiscence to a brand new location within the /temp listing, runs it, after which terminates the unique course of and deletes the downloaded binary.
As soon as moved to the /tmp listing, the file executes underneath a distinct identify, which mimics the identify of a recognized Linux course of. The file hosted on the honeypot was named sh. From there, the file establishes a neighborhood command-and-control course of and makes an attempt to realize root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a extensively used open supply multimedia framework.
