High CPU load

Discussion in 'Installation/Configuration' started by vassilis3, Dec 3, 2021.

  1. vassilis3

    vassilis3 Member

    Please help to fix high CPU load
    I think my server hacked from crypto miner (
    Command xmrig --library-path stak stak/xmrig -o 51.195.221.110:443 -k
    Attached screen clipboard_image.569.0.jpg shot
     
    vassilis3, Dec 3, 2021
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    So you see command xmrig being run on your host?
    Check with
    Code:
    ps -ef | grep -i xmrig
    You can see the user (Owner) of that process, does he or she know anything about it?
    You can kill the process, but if your system is cracked process comes back. Reboot might get rid of the crack, but probably not. Check crontabs for that user and maybe all crontabs, they may be the way it is installed back.
     
    Taleman, Dec 3, 2021
    #2
  3. vassilis3

    vassilis3 Member

    Thank for quick reply
    Take a look crow jobs ( I think there are two of it)

    Code:
    diavgia@srv:~$ ps -ef | grep -i xmrig
diavgia   5856 31890  0 13:54 pts/0    00:00:00 grep -i xmrig
diavgia  32146     1  9 12:16 ?        00:09:35 xmrig                                                                                                                                                                                                                                                           --library-path stak stak/xmrig -o 51.195.221.110:443 -k
     

    Attached Files:

    vassilis3, Dec 3, 2021
    #3
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What crow?
    The first process is the grep you started, it's command line contains string "xmrig" so it gets shown.
    The other process is the one you are worried about, and it belongs to user that seems to be you. It is good it does not run as root.
    Use command
    Code:
    crontab -l
    to check if xmrig gets started by cron.
    You can kill the process using the PID of the process, it is shown on column number 2 in ps -ef output. So
    Code:
    kill -KILL 32146
    kills the process right away. If it comes back you must find where it gets started.
     
    Taleman, Dec 3, 2021
    #4
    vassilis3 likes this.
  5. vassilis3

    vassilis3 Member

    Code:
    diavgia@srv:~$ crontab -l
# * * * * * /tmp/.X11-unix/.x/upd >/dev/null 2>&1
# @reboot /tmp/.X11-unix/.x/upd >/dev/null 2>&1
diavgia@srv:~$ crontab -l
diavgia@srv:~$ kill -KILL 32146
    I deleted the crow and killed the PID
    Everything seems to be working well and the CPU load is back to low
    Shouldn't I delete all the folder as well? x11.jpg
     
    vassilis3, Dec 3, 2021
    #5
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What folder?
    The crontab looks suspicious, the two lines there are starting the xmrig, is my guess. Examine what is in file /tmp/.X11-unix/.x/upd. You may have to do reading of that file as root user.
    If this is the case, edit that crontab to remove the lines, with command
    Code:
    crontab -e -u diavgia
    There may be other things the cracker did on your host, so now that the nasty process is killed, you should examine what other things are modified and how the cracker got in. And verify that after reboot the xmrig is not back again. There are instructions on removing xmrig, seems it is popular hobby to install it on other peoples computers. I used Internet Search Engines with
    Code:
    remove xmrig linux
     
    Taleman, Dec 3, 2021
    #6

Share This Page