Seitenhistorie

...

The following IOCs have been observed on machines involved in the "750x7" hack, but may also also be present under other, unrelated circumstances.

Traffic to 119.78.232.8. This is the bitcoin master server at the time of this writing.
Inbound ssh connections that can't be attributed to legitimate users.
Possibly outgoing scanning activity, in particular for port 623 and 5900.
Possibly outgoing scans for http/htts (port 80/443).

Unexplained reboots.
rkhunter reporting the libncom rootkit.
Presence of files in /tmp like do, update, rc_local_found.
Presence of files in /usr/bin like minerd, or starting with _- (underscore-dash - these should apparently be hidden by the rootkit).
Presence of /lib/libncom.* or /lib64/libncom.* and /etc/ld.so.preload pointing to this library. As these possibly hidden by the rootkit, they may only be visible when booting from a secure image or using commands like export LD_PRELOAD=/lib/libc.so.6; ls /*/libncom.*; cat /etc/ld.so.preload (please make sure to point to the correct libc, otherwise the rootkit would still hide itself).
CPU usage that can't be accounted for. The miner process might only be visible when evading the rootkit, e.g. with export LD_PRELOAD=/lib/libc.so.6; ps | grep miner (please make sure to point to the correct libc, otherwise the rootkit would still hide itself).
Presence of /usr/local/bin/ssh.
Possibly tools may have been upgraded or installed (gnu auto*, Python), metasploit, nmap.

Intrusion

As far as we could observe, the attackers intrude the system in one of at least two, possibly three ways:

...

Versionen im Vergleich