Crypto miner got on my server - but how?


We noticed that the server was running at super high CPU loads (almost 800%, on a 32gb Linode with 8 cores). After some digging we found it was a crypto miner. We think we have got rid of it - BUT how could they have got in? Our passwords are 30+ charachters long and a mix of letters, digits, and other special charachters, so I'm pretty sure they didn't get in with a brute force. We also have fail2ban setup.

Are there any other ways they could have got in?

They installed a cron as the solr user:

…and this creates a mining profile with wc.conf that has stuff like:

"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": true, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1

Does anyone have any insight on where we could look? We are going to rebuild the server to make sure that no backdoors are left in, but I'm a bit concerned the original entry point could still be unprotected if we don't know what caused it :(



2 Replies

Is your Solr public facing for some reason? It should just listen to localhost, nothing else.

Hi Woet,

Thanks for the reply. Solr itself isn't, but I can access it by adding the IP into my local IP (so I can get into the admin area). It's also locked down by an IP block

It looks like his other server was also compromised. Same hack, but in a different folder. The other server doesn't have solr on (it was running as gcc).




Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct