Just found the following 2 new directories on multiple windows server 2003 installations of coldfusion 9:
{wwwroot}/CFIDE/m32 3/13/2014
contains:
libcurl-4.dll
libwinpthread-1.dll
m32.exe
zlib1.dll
and
{wwwroot}/CFIDE/m64 3/17/2014
contains:
libcurl-4.dll
libwinpthread-1.dll
m64.exe
zlib1.dll
When running m32.exe it appears that it’s some type of wrapper for a bitcoin mining operation:
C:\Inetpub\wwwroot\CFIDE\m32>m32.exe
m32.exe: no URL supplied
Try `minerd --help' for more information.
C:\Inetpub\wwwroot\CFIDE\m32>minerd --help
'minerd' is not recognized as an internal or external command,
operable program or batch file.
C:\Inetpub\wwwroot\CFIDE\m32>m32.exe minerd --help
Usage: minerd [OPTIONS]
Options:
-a, --algo=ALGO specify the algorithm to use
scrypt scrypt(1024, 1, 1) (default)
sha256d SHA-256d
-o, --url=URL URL of mining server
-O, --userpass=U:P username:password pair for mining server
-u, --user=USERNAME username for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
-t, --threads=N number of miner threads (default: number of processors)
-r, --retries=N number of times to retry if a network call fails
(default: retry indefinitely)
-R, --retry-pause=N time to pause between retries, in seconds (default: 30)
-T, --timeout=N network timeout, in seconds (default: 270)
-s, --scantime=N upper bound on time spent scanning current work when
long polling is unavailable, in seconds (default: 5)
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
-q, --quiet disable per-thread hashmeter output
-D, --debug enable debug output
-P, --protocol-dump verbose dump of protocol-level activities
--benchmark run in offline benchmark mode
-c, --config=FILE load a JSON-format configuration file
-V, --version display version information and exit
-h, --help display this help text and exit
C:\Inetpub\wwwroot\CFIDE\m32>m32.exe minerd -V
cpuminer 2.3.3
libcurl/7.35.0 zlib/1.2.8
I cannot find any information about this and have no idea how these files got on the servers – we were cryptojacked. For now I’m relocating them for further investigation as the processes were being launched through Jrun…