Jump to content

Coinminer detected on Oracle Linux Server 7.6-2019.05.28-0


Recommended Posts

Hi guys,
On this occasion I would like you to clarify this case for me. We have a customer who has an Oracle Linux server and has a problem with this malware.
We have performed the installation of ESET File Security and we have these results after the system scan:

image.thumb.png.7522a7888e701b3a21f379524ce3a67b.png

Here they are in text in case you want to copy it:

14 de octubre de 2021 10:02
file:///u01/Oracle/Middleware/Oracle_Home/coherence/plugins/maven/com/oracle/coherence/coherence-work/o84www
Linux/CoinMiner.RT
troyano
Eliminado
0FE31D4AAA7C108C62532F68BC18DC8427F053A8

14 de octubre de 2021 10:00
file:///home/oracle/c3pool/xmrig
Linux/CoinMiner.BK
aplicación potencialmente no deseada
Desinfectado por eliminación
04FCE56E89D790C3EDAA808E29BDDCE0147962D3

14 de octubre de 2021 10:00
file:///home/oracle/c3pool/config_background.json
Win64/CoinMiner.RO
aplicación potencialmente no deseada
Desinfectado por eliminación
25135CEB79CA61F723029CFA430B3965B91FE1F4

14 de octubre de 2021 10:00
file:///home/oracle/c3pool/config.json
Win64/CoinMiner.RO
aplicación potencialmente no deseada
Desinfectado por eliminación
DDBDF28407927F39C16A4E0EB0F731E87C50A408

The problem is that the process that led us to discover that it is a CoinMiner does not disappear and if we stop it it reappears again. Here is a screenshot of the process:
image.thumb.png.16427f374d4364dbcd65e6e117e5f147.png

As you can see, the entire processor is consumed by this process. 

We suspect that they may be tasks left by the miner but we don't know how to identify and remove them from the system.
Shouldn't the antivirus remove them?

I attach the logs taken after the removal of the malware with the ESET File Security antivirus. (customer_info.zip)

What should I do in this case?

 

customer_info.zip

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...