[nsp-sec] Compromised clusters used for bitcoin mining
Leif Nixon
nixon at nsc.liu.se
Tue Aug 2 14:54:46 EDT 2011
NSP-SEC,
Among other duties, I'm heading the incident response task force for EGI
(www.egi.eu), an infrastructure for computing spanning > 300 sites in
something like 60 countries.
Lately, we have had to deal with academic compute clusters being
compromised and used for bitcoin mining. So far, this incident involves
multiple sites in at least two countries. Some of the clusters are of
significant size.
It seems the intruder follows the well-known cycle of gaining entry
using stolen ssh credentials, getting root through some local
vulnerability and then installing ssh(d) trojans to steal user
credentials for more sites. An interesting twist this time is that the
intruders actually try to use the clusters for bitcoin mining.
The trojan ssh(d) logs captured credentials to the file
"/var/run/proc.pid", which is obfuscated by xoring with 0xff. The trojan
sshd uses the backdoor passwords "t3wl4t34y0u" and "h00km3up".
If this rings a bell for anybody, I would be grateful if you could
contact me on or off list for information pooling.
--
Leif Nixon - Security officer
National Supercomputer Centre - Swedish National Infrastructure for Computing
Nordic Data Grid Facility - European Grid Infrastructure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110802/79c3211c/attachment-0001.sig>
More information about the nsp-security
mailing list