Menu Close

Raspberry pi exploited for cryptocurrency mining

Today, my raspberry pi were hacked, and the load went from 0.01 to 8 or more. Zmap is the highest process that hogging the cpu.
So I checked the /etc/rc.local, and it gives me a line that run /opt/6vRKumYc. The 6vRKumYc file is a bash script that will do some task like this :

  • copy the file path and include in /etc/rc.local
  • kill all process of minerd, node, nodejs, ktx, arm*, zmap, kaiten, perl
  • change the /etc/hosts to
  • remove the root and pi .bashrc
  • change the default pi password
  • create authorized_keys for root
  • make a /tmp/public.pem
  • make an irc bot, and connect to this undernet irc servers:
    – Bucharest.RO.EU.Undernet.Org
  • connect to the channel #biret
  • scan all device in the same ip range, and then login as pi user, and copy itself to another device

Maybe this is the copy of the code, so some authorized police can track the malware creator :

I have joined the on channel #Help, #cservice, #hack, #theguard, #abuse, but there no moderator/admin online, so I sent an email to, but there’s no address like that on the server.

No user found when emailing


Leave a Reply

Your email address will not be published. Required fields are marked *