I don't post much but I feel this is important to those using NGINX on their servers.
Technical details are here:
https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/
or, more directly:
https://sansec.io/research/cronrat
https://sansec.io/research/nginrat
Summary:
A vulnerability in NGINX allows a threat actor to install a RAT running virtually undetectable on your server. One of the options is for it to also hide in CRON with a date of Feb 31.
I mention this because I believe my server got hit and it's very likely others could be vulnerable as well. In the past I have noticed what I thought was a corrupt cron.d/root file and I've manually cleaned that file in the past. Where I'm stumped is on how to clean the NGINX infestation. I can identify the malicious processes and their solution is to just terminate them, however, every time I check, the process ID is different.
If anyone else has detected this activity on their server, I would really like to find a way to permanently eradicate NginRAT from my server. All I've done so far is block the payload IP address on my router. I only discovered this issue today.