DEV Community

sachinravindran
sachinravindran

Posted on

1

How We Removed a Crypto Miner Malware That Exploited Linux File Attributes

#hacking #security #linux

Introduction

Imagine walking into a Monday morning only to find your company’s server grinding to a halt. CPU and memory usage are maxed out, services are timing out, and your team is panicking. This was my reality when I discovered a crypto miner malware (perfectl) had hijacked our server. What followed was a battle against resource-hogging processes, undeletable files, and a crash course in Linux file attributes. Here’s how I fought back—and what I learned along the way.

The Discovery: htop Reveals the Culprit

The first clue was the server’s sluggish performance. Running htop, I spotted a suspicious process named perfectl guzzling 90%+ of the CPU. Crypto miners are notorious for this—they silently hijack resources to mine cryptocurrency for attackers.

Key Takeaway:

  • Monitor resource usage: Tools like htop, top, or glances are critical for spotting abnormal processes.

The Roadblock: "Operation Not Permitted" Errors

After killing the malicious process, I traced its files to delete them. But even as root, deletion failed with cryptic errors:

rm: cannot remove 'malicious-file': Operation not permitted
Enter fullscreen mode Exit fullscreen mode

A quick lsattr check revealed the malware’s sneaky trick: immutable files. The i attribute was set, preventing deletion or modification:

lsattr malicious-file  
----i---------e---- malicious-file
Enter fullscreen mode Exit fullscreen mode

Why This Matters:

The i (immutable) flag locks files, even for root. Attackers use this to protect their malware from being removed.

The Fix: chattr to the Rescue

To remove the files, I first had to strip the i attribute using chattr:

sudo chattr -i malicious-file
Enter fullscreen mode Exit fullscreen mode

Then deletion worked:

sudo rm -rf malicious-file
Enter fullscreen mode Exit fullscreen mode

Important Notes:

  • Be thorough: Malware often spreads across multiple files/directories. Use lsattr -R /path/to/suspicious/dir to check recursively.

  • Audit cron jobs/services: The malware likely had a persistence mechanism (e.g., a cron job respawning it).

Lessons Learned: Protect Your Server

  1. Monitor Actively: Use tools like htop, netstat, and audit logs.

  2. Lock Down Permissions: Restrict write access to critical directories.

  3. Know Linux Attributes: The i (immutable), a (append-only), and e (extent format) flags can be abused by attackers.

  4. Automate Scans: Tools like chkrootkit, rkhunter, or modern EDR solutions can flag hidden threats.

  5. Backup & Test: Ensure immutable backups exist to recover from attacks.

Final Thoughts

This incident was a wake-up call. Attackers are getting craftier—using legitimate Linux features (like chattr) against us. Vigilance, layered security, and understanding system fundamentals are your best defense.``

profile
Postmark
 Promoted

Speedy emails, satisfied customers

Postmark Image

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

profile
Neon
 Promoted

Billboard image

Create up to 10 Postgres Databases on Neon's free plan.

If you're starting a new project, Neon has got your databases covered. No credit cards. No trials. No getting in your way.

Try Neon for Free →

Read next

gajjarashish profile image

Configure monit service in AL2023

Ashish Gajjar -

s3cloudhub profile image

How to Install MySQL on Ubuntu

S3CloudHub -

victoruzoagba profile image

Ransomware: A Wake-Up Call for the Digital Age

Victor Uzoagba -

leandroveiga profile image

Ultimate Guide to API Security in .NET: Mastering JWT, OAuth, and Best Practices

Leandro Veiga -