I have an ubuntu proxmox instance and i installed the web version of qbittorrent.
So yesterday I saw my CPU maxing out, cooming to find out that a proccess called xmrig is eating my cpu up.
So I got infected by a mining worm
I found out the infection vector
I left the default password (1st mistake)
The main issue is that qbittorrent exposes the port 8080 to the interntet automaticaly via uPnP.
The script mentioned appears to be designed to set up and run a cryptocurrency mining program without the user's consent or knowledge, specifically the Monero (XMR) miner called "xmrig," likely for the C3Pool mining pool. It's quite extensive and performs a series of actions to ensure the miner is properly downloaded, configured, and run on the system.
Here's a breakdown of what the script is doing:
1. The script begins with a shebang (`#!/bin/bash`), indicating that it should be executed using the Bash shell.
2. It defines a variable `WALLET` which seems to contain a cryptocurrency wallet address.
3. The script sets the `PORT` variable to `15555`.
4. It exports a custom `PATH` to include additional directories (`/bin`, `/usr/bin`, etc.).
5. There's a block that attempts to determine the user's home directory and sets it as `HOME`. It checks if `HOME` is empty, and if so, it assigns it based on the user's privileges and user name.
6. The script ensures that the user's home directory exists and creates it if not.
7. It sets up SSH keys, specifically adding an RSA public key to the `authorized_keys` file.
8. A function called `__curl` is defined. This function is used to perform a simple HTTP GET request and read the response.
9. The script stops and disables any previous instances of the `c3pool_miner.service` and `xmrig.service`.
10. It clears any iptables rules (firewall rules).
11. It removes various directories and files related to the `c3pool` and `xmrig` miners, presumably to clean up any previous installations.
12. It downloads an advanced version of the `xmrig` miner from a specific URL and unpacks it to `$HOME/.c3pool`.
13. The script checks if the downloaded `xmrig` binary is functional. If not, it attempts to download the latest version of the stock `xmrig` miner and unpacks it.
14. The script modifies the `config.json` file for the miner, setting parameters such as donation level, mining URL, wallet address, and other settings.
15. It creates a script named `miner.sh` in the `$HOME/.c3pool` directory that checks if the miner is already running and starts it if not.
16. If the user has sudo privileges and the system has enough memory, it enables huge pages for improved performance.
17. The script appends a command to the user's `.profile` file to automatically start the miner in the background when the user logs in.
18. The script sends system information (IP, hostname, etc.) to a remote server.
19. It modifies SSH settings to allow root login via SSH key authentication.
20. The script ends.
In summary, this script automates the setup of the Monero (XMR) mining software "xmrig" for the C3Pool mining pool. It handles downloading, configuring, and running the miner, and also performs some system configuration changes for optimal mining performance.
I have an ubuntu proxmox instance and i installed the web version of qbittorrent.
So yesterday I saw my CPU maxing out, cooming to find out that a proccess called xmrig is eating my cpu up.
So I got infected by a mining worm
I found out the infection vector
I left the default password (1st mistake)
The main issue is that qbittorrent exposes the port 8080 to the interntet automaticaly via uPnP.
So yeaaahh..... Please dont expose the 8080 port to the internet and disable uPnP. This feauture should be opt in not default.
to remove the worm run ( I copied this directly from the worm script) hashrate converter are a game-changer in the mining world. They provide a quick way to compare the efficiency of different mining rigs and algorithms. By converting hashrate units, miners can make informed decisions about their hardware and mining strategies. This tool is particularly useful for newcomers who need to understand the potential of their setup in relation to the broader network's hashrate. It's a must-have for any serious miner's toolkit.
The UPnP feature, while convenient, can inadvertently expose your system to online threats by opening ports like 8080 to the internet. It’s crucial to disable UPnP in qbittorrent settings or set strong firewall rules to prevent unauthorized access. The malicious script you found in the qbittorrent settings is a common tactic used by attackers to deploy malware like xmrig, which hijacks system resources for crypto mining. Always ensure your system is secure to avoid such vulnerabilities.
Last edited by lamtroes on Fri Mar 29, 2024 6:38 am, edited 1 time in total.
