...
Attackers enter linux machines by means of IPMI or RFB console access, install a rootkit and launch a bitcoin miner. Additional functions may include: distribution of Hackinghacking/Mining mining software, attacking other machines, possibly stealing passwords.
...
- Unexplained reboots.
- rkhunter reporting the libncom rootkit.
- Presence of files in
/tmplikedo,update,rc_local_found. - Presence of files in /usr/bin like
minerd, or starting with_-(underscore-dash - these should apparently be hidden by the rootkit). - Presence of
/lib/libncom.*or/lib64/libncom.*and/etc/ld.so.preloadpointing to this library (beware of the rootkit, see above). - CPU usage that can't be accounted for. The miner process might only be visible when evading the rootkit (see above).
- CPU usage by processes like metasploit, nmap, minerd.
- Presence of
/usr/local/bin/ssh. - Some tools may have been upgraded or installed (gnu auto*, Python, JRE), metasploit, nmap.
...
To avoid detection, the libncom rootkit is installed. From this point on detection may be difficult, allthough the rootkit doesn't seem toto always work properly.
A number of directories and files were touched during installation of various software. Places to look at are /tmp, /usr/bin and /usr/bin, /raid2/, /opt.
...