[Systems] Alert: Possible compromise of lightwave server

[Sebastian Silva]

Turns out I had no password on lightwave, I just wasn't a sudoer.
Samuel (scg) and I logged in using virsh console and I gave myself full
access.

It appears like this bitcoin thing is not new, and there isn't an
attempt to hide it.
So scg and I agree it looks like a person with authorization set this up
since 2013.

I hope these resources are going into SL, but who would know about that,
no idea.

I've uninstalled both tor and bitcoind, but left the configutation files
for both.
I've recovered the wallet.dat file and removed it from the server.

If this is your wallet, I have it, claim it.

If this is official business we need to document it in the wiki.

Regards,
Sebastian




On 01/10/15 23:51, Sebastian Silva wrote:
> My password isn't working, and there is a bitcoin miner running!
>
> icarito at lightwave:~$ passwd
> Changing password for icarito.
> (current) UNIX password:
> passwd: Authentication token manipulation error
> passwd: password unchanged
> 10!icarito at lightwave:~$ htop
> The program 'htop' is currently not installed. To run 'htop' please ask
> your administrator to install the package 'htop'
> 127!icarito at lightwave:~$ top
>
> top - 00:49:41 up 49 min,  1 user,  load average: 3.15, 3.25, 3.14
> Tasks:  82 total,   2 running,  80 sleeping,   0 stopped,   0 zombie
> %Cpu(s): 50.7 us,  8.2 sy, 36.6 ni,  0.8 id,  3.3 wa,  0.0 hi,  0.3 si, 
> 0.0 st
> KiB Mem:   1951108 total,  1804676 used,   146432 free,   165836 buffers
> KiB Swap:        0 total,        0 used,        0 free.  1048216 cached Mem
>
>   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+
> COMMAND                                          
>   990 bitcoin   20   0 1380144 373100   9512 S 190.9 19.1  80:38.22
> bitcoind      
>

-- 
I+D SomosAzucar.Org
"icarito" #somosazucar en Freenode IRC
"Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en comunión" - P. Freire