[SAC] High load "geotools" job on osgeo6: cryptonight at work

Markus Neteler neteler at osgeo.org
Tue May 8 14:54:14 PDT 2018 

Hi,

does anone know what this "j" job does which leads to load average: 12.04
for several weeks on osgeo6?
I noticed it a while ago:

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+
COMMAND
23401 geotools  30  10 1219628  25240   1988 S  1200  0.0 811738:16 j

Any cryptomining ongoing there? :)

strace -p 23401
Process 23401 attached
epoll_wait(3, {}, 1024, 343)            = 0
epoll_wait(3, {}, 1024, 478)            = 0
epoll_wait(3, {}, 1024, 20)             = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857872753}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857898791}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857914653}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857930257}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857946934}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857962774}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857978770}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857994805}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858010207}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858025653}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858041233}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858058371}) = 0
epoll_wait(3, {}, 1024, 500)            = 0
epoll_wait(3, {}, 1024, 477)            = 0
epoll_wait(3, {}, 1024, 21)             = 0
epoll_wait(3, {}, 1024, 500)            = 0
epoll_wait(3, {}, 1024, 404)            = 0
clock_gettime(CLOCK_REALTIME, {1525815798, 768184366}) = 0
clock_gettime(CLOCK_REALTIME, {1525815798, 768222411}) = 0
...

lsof -p 23401
COMMAND   PID     USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME
j       23401 geotools  cwd    DIR      253,0     4096        192 /
j       23401 geotools  rtd    DIR      253,0     4096        192 /
j       23401 geotools  txt    REG      253,6   786544       7400
/var/tmp/   /j
j       23401 geotools  mem    REG      253,0  1738176     895459
/lib/x86_64-linux-gnu/libc-2.19.so
j       23401 geotools  mem    REG      253,0  1051056     895469
/lib/x86_64-linux-gnu/libm-2.19.so
j       23401 geotools  mem    REG      253,0    31784     895513
/lib/x86_64-linux-gnu/librt-2.19.so
j       23401 geotools  mem    REG      253,0   137384     820348
/lib/x86_64-linux-gnu/libpthread-2.19.so
j       23401 geotools  mem    REG      253,0   140928     820349
/lib/x86_64-linux-gnu/ld-2.19.so
j       23401 geotools    0r   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    1w   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    2w   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    3u  0000       0,11        0      13535 anon_inode
j       23401 geotools    4r  FIFO       0,10      0t0 1498595664 pipe
j       23401 geotools    5w  FIFO       0,10      0t0 1498595664 pipe
j       23401 geotools    6r  FIFO       0,10      0t0 1498606412 pipe
j       23401 geotools    7w  FIFO       0,10      0t0 1498606412 pipe
j       23401 geotools    8u  0000       0,11        0      13535 anon_inode
j       23401 geotools    9r   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools   10u  IPv4 1600207795      0t0        TCP
osgeo6.osgeo.osuosl.org:40720->89.163.135.118:http (ESTABLISHED)


I don't quite know what it tries to do.

It comes from an "invisible" (!) directory:

root at osgeo6:/var/tmp# ls -la /var/tmp/
total 198116
drwxr-xr-x  2 geotools users        32 Mar 22 14:56       <<----!!
drwxrwxrwt  4 root     root         70 May  8 12:03 .
drwxr-xr-x 12 root     root        138 Jul 19  2015 ..
drwxr-xr-x  9 geotools users      4096 Sep 23  2015 geotools
-rw-r--r--  1 geotools users 202861176 Sep 23  2015 geotools.tar.xz
-rw-r--r--  1 geotools users       149 Sep 23  2015 README.txt

root at osgeo6:/var/tmp# tree
.
├──
│   ├── config.json
│   └── j


Here the magic happens:

root at osgeo6:/var/tmp# cd "   "
root at osgeo6:/var/tmp/   # ls -la
total 776
drwxr-xr-x 2 geotools users     32 Mar 22 14:56 .
drwxrwxrwt 4 root     root      70 May  8 12:03 ..
-rw-r--r-- 1 geotools users    558 Mar 22 14:56 config.json
-rwxr-xr-x 1 geotools users 786544 Mar 18 09:42 j

Weird??

More forensic:

root at osgeo6:/var/tmp/   # file j
j: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically
linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18,
BuildID[sha1]=28ed31a04ec9c0f9e35c536cdbb6dfff922e9df3, stripped


root at osgeo6:/var/tmp/   # head -n 10 config.json
{
    "algo": "cryptonight",
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 0,
    "log-file": null,
    "max-cpu-usage": 100,


Gotcha!

I suggest that we take a series of countermeasures now.

Markus

-- 
Markus Neteler, PhD
http://www.mundialis.de - free data with free software
http://grass.osgeo.org
http://courses.neteler.org/blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20180508/e8fe4c03/attachment.html>

More information about the Sac mailing list