<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Hmm that does look very suspicious. Not sure why we would be cryptomining. I guess it could be intentional for some kind of testing thing.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Definitely need to do something about this like kill it and delete the files. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>The j file seems relatively new too.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>And target seems to be going to Germany somewhere<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>12 116 ms 154 ms 134 ms ve556.ipcar.dus3.myloc.de [62.141.47.106]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> 13 99 ms 109 ms 99 ms 89.163.135.118<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Sac [mailto:sac-bounces@lists.osgeo.org] <b>On Behalf Of </b>Markus Neteler<br><b>Sent:</b> Tuesday, May 08, 2018 5:54 PM<br><b>To:</b> OSGeo-SAC <sac@lists.osgeo.org><br><b>Subject:</b> [SAC] High load "geotools" job on osgeo6: cryptonight at work<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><div><div><div><p class=MsoNormal style='margin-left:.5in'>Hi,<br><br>does anone know what this "j" job does which leads to load average: 12.04 for several weeks on osgeo6?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>I noticed it a while ago:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><br><span style='font-family:"Courier New"'> PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND <br>23401 geotools 30 10 1219628 25240 1988 S 1200 0.0 811738:16 j </span><br><br>Any cryptomining ongoing there? :)<br><br>strace -p 23401<br>Process 23401 attached<br>epoll_wait(3, {}, 1024, 343) = 0<br>epoll_wait(3, {}, 1024, 478) = 0<br>epoll_wait(3, {}, 1024, 20) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857872753}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857898791}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857914653}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857930257}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857946934}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857962774}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857978770}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 857994805}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 858010207}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 858025653}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 858041233}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815796, 858058371}) = 0<br>epoll_wait(3, {}, 1024, 500) = 0<br>epoll_wait(3, {}, 1024, 477) = 0<br>epoll_wait(3, {}, 1024, 21) = 0<br>epoll_wait(3, {}, 1024, 500) = 0<br>epoll_wait(3, {}, 1024, 404) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815798, 768184366}) = 0<br>clock_gettime(CLOCK_REALTIME, {1525815798, 768222411}) = 0<br>...<br><br>lsof -p 23401<br>COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME<br>j 23401 geotools cwd DIR 253,0 4096 192 /<br>j 23401 geotools rtd DIR 253,0 4096 192 /<br>j 23401 geotools txt REG 253,6 786544 7400 /var/tmp/ /j<br>j 23401 geotools mem REG 253,0 1738176 895459 /lib/x86_64-linux-gnu/<a href="http://libc-2.19.so">libc-2.19.so</a><br>j 23401 geotools mem REG 253,0 1051056 895469 /lib/x86_64-linux-gnu/<a href="http://libm-2.19.so">libm-2.19.so</a><br>j 23401 geotools mem REG 253,0 31784 895513 /lib/x86_64-linux-gnu/<a href="http://librt-2.19.so">librt-2.19.so</a><br>j 23401 geotools mem REG 253,0 137384 820348 /lib/x86_64-linux-gnu/<a href="http://libpthread-2.19.so">libpthread-2.19.so</a><br>j 23401 geotools mem REG 253,0 140928 820349 /lib/x86_64-linux-gnu/<a href="http://ld-2.19.so">ld-2.19.so</a><br>j 23401 geotools 0r CHR 1,3 0t0 2052 /dev/null<br>j 23401 geotools 1w CHR 1,3 0t0 2052 /dev/null<br>j 23401 geotools 2w CHR 1,3 0t0 2052 /dev/null<br>j 23401 geotools 3u 0000 0,11 0 13535 anon_inode<br>j 23401 geotools 4r FIFO 0,10 0t0 1498595664 pipe<br>j 23401 geotools 5w FIFO 0,10 0t0 1498595664 pipe<br>j 23401 geotools 6r FIFO 0,10 0t0 1498606412 pipe<br>j 23401 geotools 7w FIFO 0,10 0t0 1498606412 pipe<br>j 23401 geotools 8u 0000 0,11 0 13535 anon_inode<br>j 23401 geotools 9r CHR 1,3 0t0 2052 /dev/null<br>j 23401 geotools 10u IPv4 1600207795 0t0 TCP osgeo6.osgeo.osuosl.org:40720->89.163.135.118:http (ESTABLISHED)<br><br><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>I don't quite know what it tries to do.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>It comes from an "invisible" (!) directory:<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><span style='font-family:"Courier New"'>root@osgeo6:/var/tmp# ls -la /var/tmp/<br>total 198116<br>drwxr-xr-x 2 geotools users 32 Mar 22 14:56 <<----!!<br>drwxrwxrwt 4 root root 70 May 8 12:03 .<br>drwxr-xr-x 12 root root 138 Jul 19 2015 ..<br>drwxr-xr-x 9 geotools users 4096 Sep 23 2015 geotools<br>-rw-r--r-- 1 geotools users 202861176 Sep 23 2015 geotools.tar.xz<br>-rw-r--r-- 1 geotools users 149 Sep 23 2015 README.txt</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><span style='font-family:"Courier New"'>root@osgeo6:/var/tmp# tree<br>.<br>├── <br>│ ├── config.json<br>│ └── j</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>Here the magic happens:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><br><span style='font-family:"Courier New"'>root@osgeo6:/var/tmp# cd " "<br>root@osgeo6:/var/tmp/ # ls -la<br>total 776<br>drwxr-xr-x 2 geotools users 32 Mar 22 14:56 .<br>drwxrwxrwt 4 root root 70 May 8 12:03 ..<br>-rw-r--r-- 1 geotools users 558 Mar 22 14:56 config.json<br>-rwxr-xr-x 1 geotools users 786544 Mar 18 09:42 j<br><br>Weird??</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><span style='font-family:"Courier New"'>More forensic:</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><span style='font-family:"Courier New"'><br>root@osgeo6:/var/tmp/ # file j<br>j: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=28ed31a04ec9c0f9e35c536cdbb6dfff922e9df3, stripped<br><br><br>root@osgeo6:/var/tmp/ # head -n 10 config.json<br>{<br> "algo": "cryptonight",<br> "av": 0,<br> "background": true,<br> "colors": true,<br> "cpu-affinity": null,<br> "cpu-priority": null,<br> "donate-level": 0,<br> "log-file": null,<br> "max-cpu-usage": 100,<br><br></span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>Gotcha!<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'>I suggest that we take a series of countermeasures now.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:.5in'><br>Markus<br><br>-- <o:p></o:p></p><div><p class=MsoNormal style='margin-left:.5in'>Markus Neteler, PhD<br><a href="http://www.mundialis.de" target="_blank">http://www.mundialis.de</a> - free data with free software<br><a href="http://grass.osgeo.org" target="_blank">http://grass.osgeo.org</a><br><a href="http://courses.neteler.org/blog" target="_blank">http://courses.neteler.org/blog</a><o:p></o:p></p></div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div></div></div></body></html>