We have encountered a situation where our Kaltura Apache server has been infected by a bitcoin miner. We have blocked off the ip addresses it uses to download software. The problem is that now all of the connections get used up and we cannot identify what is consuming the connections. we have tried to script a process to release the connections when they all get used but that does not seem to help.
Any help with a resolution is greatly appreciated
You can start by running
netstat -plntu to see what processes have listeners running and on also what files are held open by them.
Also, I’d advise checking crontabs for all available users. Typically, such miners add cron jobs to do their work and thus it will be your machine that’s establishing a connection to some remote server managed by the attacker and not the other way around.
In addition, of course run
ps faxu and review all the running procs looking for unwanted ones and I’d also recommend reviewing the list of installed packages [I believe you’re running over RHEL/CentOS so in your case, the command to run to get a list of installed packages would be ```rpm -qa```].
Also review /var/log/secure, /var/log/audit/audit.log and /var/log/cron
If I’m wrong and you’re running on Debian/Ubuntu, you should check /var/log/syslog and /var/log/auth.log.
And, of course, upgrade all your packages to the latest version. That’s an important practice as new exploits are constantly discovered and the distros then provide updates to fix them.