Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Malicious Crypto mining
Crypto mining on servers is seeing a rise in popularity, as of 12/13/17 Bitcoin has a value above 16,000 per coin. While still far behind phishing and spamming crypto mining on servers is becoming a rising way to monetize malicious servers. In research performed for this wiki, over 17 cases of mining on our network mined $634,000 USD in Monero coins.
Besides the rising value of coins newer currencies, at this time specifically Monero (XMR) has made this a viable strategy to extract value out of a compromised server.
Crypto mining at this time is generally performed by a pool of computers, where various 'miners' (in our case compromised servers) contribute compute resources and get paid out on what percentage of the compute power they contribute to said pool.
The following pools have been observed in malicious mining:
These are the ports they generally communicate on:
3333, 4444, 5555, 6666, 7777, 8888, 9999, 14444, 14433
These are the programs used by most pools:
CPUMiner (forked by LucasJones & Wolf)
Example: minerd -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x
YAM Miner (by yvg1900)
Example: yam -c x -M stratum+tcp://YOUR_WALLET_ADDRESS:email@example.com:3333/xmr
Claymore CPU Miner
Example: NsCpuCNMiner64 -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x
Claymore GPU Miner
Example: NsGpuCNMiner -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x
`ccminer (forked by tsiv) ``
Example: ccminer -o stratum+tcp://xmr.crypto-pool.fr:3333 -u YOUR_WALLET_ADDRESS -p x
Minerchk script There is an alpha version script available for detecting miners:
mkdir -p /root/bin
wget -O /root/bin/minerchk https://raw.githubusercontent.com/Hestat/minerchk/master/minerchk.sh
chmod +x /root/bin/minerchk
Most often you will come across these compromises during a load investigation, other hacked site investigation, or if you see an LFD alert like the following.
Example LFD Alert
Command Line (often faked in exploits):
-bash -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 46uk51aJnMT4VyvwEGhHA9QKSsFiDt8iN48nJza7xnG9epk7y9Xz6KCDfai1bLALuFa7rHNoMPep1RZw8J8GLr4q1fnLNZ4 -p x
These miners most frequently are load in a shared area such as /tmp or /dev/shm
The will often leave a file behind that lives in one of these directories and ends with the .c file type:
root@host [1563 18:27:40 ~]# cat /tmp/phpXBaIHk.c
threads = 1
mine = stratum+tcp://4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN:firstname.lastname@example.org:3333/xmr
This will be accompanied by a file that mirrors the name of the .c file that will be the compile binary doing the mining.
The Coinhive pool was one of the first to create a mining pool gear exclusively towards this kind of mining. The following script is how they currently implement this miner onto a site:
var miner = new CoinHive.User('<site-key>', 'john-doe');
In most of the cases the mining software used will reveal the wallet used to collect the XMR payout. From the example used previously: mine = stratum+tcp://4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN:email@example.com:3333/xmr The public key to the wallet is : 4AQVBkuyXEaWRzmF8tBynWdMA1kAA6rzricUH7Jj5UNaYT3UXH4aT8c2TTKLw3VyZZLgt15WD7xAA1NamQ7rgzXA3pxNpxN After doing some additional searching we can see this pool is tied to here: https://monero.crypto-pool.fr
Here we can see that this miner has earn 1.50 XMR or around $450 at the current exchange rate of 299USD/XMR.
These pools will also lock accounts that have been identified for malicious mining as one wallet found in current research returned the following response.
`You addresse mining is suspend for botnet usage.Send me email to firstname.lastname@example.org
So locating and submitting take down requests would be advantageous to lowering the incidence of mining on our network.