Mauricio Osorio 2 Posted October 14, 2021 Share Posted October 14, 2021 Hi guys, On this occasion I would like you to clarify this case for me. We have a customer who has an Oracle Linux server and has a problem with this malware. We have performed the installation of ESET File Security and we have these results after the system scan: Here they are in text in case you want to copy it: 14 de octubre de 2021 10:02 file:///u01/Oracle/Middleware/Oracle_Home/coherence/plugins/maven/com/oracle/coherence/coherence-work/o84www Linux/CoinMiner.RT troyano Eliminado 0FE31D4AAA7C108C62532F68BC18DC8427F053A8 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/xmrig Linux/CoinMiner.BK aplicación potencialmente no deseada Desinfectado por eliminación 04FCE56E89D790C3EDAA808E29BDDCE0147962D3 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config_background.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación 25135CEB79CA61F723029CFA430B3965B91FE1F4 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación DDBDF28407927F39C16A4E0EB0F731E87C50A408 The problem is that the process that led us to discover that it is a CoinMiner does not disappear and if we stop it it reappears again. Here is a screenshot of the process: As you can see, the entire processor is consumed by this process. We suspect that they may be tasks left by the miner but we don't know how to identify and remove them from the system. Shouldn't the antivirus remove them? I attach the logs taken after the removal of the malware with the ESET File Security antivirus. (customer_info.zip) What should I do in this case? customer_info.zip Link to comment Share on other sites More sharing options...
Recommended Posts