Raspberry pi exploited for cryptocurrency mining

Today, my raspberry pi were hacked, and the load went from 0.01 to 8 or more. Zmap is the highest process that hogging the cpu.

So I checked the /etc/rc.local, and it gives me a line that run /opt/6vRKumYc. The 6vRKumYc file is a bash script that will do some task like this :

  • copy the file path and include in /etc/rc.local
  • kill all process of minerd, node, nodejs, ktx, arm*, zmap, kaiten, perl
  • change the /etc/hosts to bins.deutschland-zahlung.eu
  • remove the root and pi .bashrc
  • change the default pi password
  • create authorized_keys for root
  • make a /tmp/public.pem
  • make an irc bot, and connect to this undernet irc servers:
    – ix1.undernet.org
    – ix2.undernet.org
    – Ashburn.Va.Us.UnderNet.org
    – Bucharest.RO.EU.Undernet.Org
    – Budapest.HU.EU.UnderNet.org
    – Chicago.IL.US.Undernet.org
  • connect to the channel #biret
  • scan all device in the same ip range, and then login as pi user, and copy itself to another device

 

Maybe this is the copy of the code, so some authorized police can track the malware creator :

I have joined the us.undernet.org on channel #Help, #cservice, #hack, #theguard, #abuse, but there no moderator/admin online, so I sent an email to abuse-expoits@undernet.org, but there’s no address like that on the server.

No user found when emailing abuse-expoits@undernet.org

One Reply to “Raspberry pi exploited for cryptocurrency mining”

Leave a Reply

Your email address will not be published. Required fields are marked *