[SAC] High load "geotools" job on osgeo6: cryptonight at work

Regina Obe lr at pcorp.us
Wed May 9 02:25:29 PDT 2018 

Hmm that does look very suspicious.  Not sure why we would be cryptomining. I guess it could be intentional for some kind of testing thing.

 

Definitely need to do something about this like kill it and delete the files. 

 

The j file seems relatively new too.

And target seems to be going to Germany somewhere

 

12   116 ms   154 ms   134 ms  ve556.ipcar.dus3.myloc.de [62.141.47.106]

13    99 ms   109 ms    99 ms  89.163.135.118

 

From: Sac [mailto:sac-bounces at lists.osgeo.org] On Behalf Of Markus Neteler
Sent: Tuesday, May 08, 2018 5:54 PM
To: OSGeo-SAC <sac at lists.osgeo.org>
Subject: [SAC] High load "geotools" job on osgeo6: cryptonight at work

 

Hi,

does anone know what this "j" job does which leads to load average: 12.04 for several weeks on osgeo6?

I noticed it a while ago:


  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                                        
23401 geotools  30  10 1219628  25240   1988 S  1200  0.0 811738:16 j 

Any cryptomining ongoing there? :)

strace -p 23401
Process 23401 attached
epoll_wait(3, {}, 1024, 343)            = 0
epoll_wait(3, {}, 1024, 478)            = 0
epoll_wait(3, {}, 1024, 20)             = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857872753}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857898791}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857914653}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857930257}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857946934}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857962774}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857978770}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 857994805}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858010207}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858025653}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858041233}) = 0
clock_gettime(CLOCK_REALTIME, {1525815796, 858058371}) = 0
epoll_wait(3, {}, 1024, 500)            = 0
epoll_wait(3, {}, 1024, 477)            = 0
epoll_wait(3, {}, 1024, 21)             = 0
epoll_wait(3, {}, 1024, 500)            = 0
epoll_wait(3, {}, 1024, 404)            = 0
clock_gettime(CLOCK_REALTIME, {1525815798, 768184366}) = 0
clock_gettime(CLOCK_REALTIME, {1525815798, 768222411}) = 0
...

lsof -p 23401
COMMAND   PID     USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME
j       23401 geotools  cwd    DIR      253,0     4096        192 /
j       23401 geotools  rtd    DIR      253,0     4096        192 /
j       23401 geotools  txt    REG      253,6   786544       7400 /var/tmp/   /j
j       23401 geotools  mem    REG      253,0  1738176     895459 /lib/x86_64-linux-gnu/libc-2.19.so <http://libc-2.19.so> 
j       23401 geotools  mem    REG      253,0  1051056     895469 /lib/x86_64-linux-gnu/libm-2.19.so <http://libm-2.19.so> 
j       23401 geotools  mem    REG      253,0    31784     895513 /lib/x86_64-linux-gnu/librt-2.19.so <http://librt-2.19.so> 
j       23401 geotools  mem    REG      253,0   137384     820348 /lib/x86_64-linux-gnu/libpthread-2.19.so <http://libpthread-2.19.so> 
j       23401 geotools  mem    REG      253,0   140928     820349 /lib/x86_64-linux-gnu/ld-2.19.so <http://ld-2.19.so> 
j       23401 geotools    0r   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    1w   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    2w   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools    3u  0000       0,11        0      13535 anon_inode
j       23401 geotools    4r  FIFO       0,10      0t0 1498595664 pipe
j       23401 geotools    5w  FIFO       0,10      0t0 1498595664 pipe
j       23401 geotools    6r  FIFO       0,10      0t0 1498606412 pipe
j       23401 geotools    7w  FIFO       0,10      0t0 1498606412 pipe
j       23401 geotools    8u  0000       0,11        0      13535 anon_inode
j       23401 geotools    9r   CHR        1,3      0t0       2052 /dev/null
j       23401 geotools   10u  IPv4 1600207795      0t0        TCP osgeo6.osgeo.osuosl.org:40720->89.163.135.118:http (ESTABLISHED)



I don't quite know what it tries to do.

It comes from an "invisible" (!) directory:

root at osgeo6:/var/tmp# ls -la /var/tmp/
total 198116
drwxr-xr-x  2 geotools users        32 Mar 22 14:56       <<----!!
drwxrwxrwt  4 root     root         70 May  8 12:03 .
drwxr-xr-x 12 root     root        138 Jul 19  2015 ..
drwxr-xr-x  9 geotools users      4096 Sep 23  2015 geotools
-rw-r--r--  1 geotools users 202861176 Sep 23  2015 geotools.tar.xz
-rw-r--r--  1 geotools users       149 Sep 23  2015 README.txt

root at osgeo6:/var/tmp# tree
.
├──    
│   ├── config.json
│   └── j

 

Here the magic happens:


root at osgeo6:/var/tmp# cd "   "
root at osgeo6:/var/tmp/   # ls -la
total 776
drwxr-xr-x 2 geotools users     32 Mar 22 14:56 .
drwxrwxrwt 4 root     root      70 May  8 12:03 ..
-rw-r--r-- 1 geotools users    558 Mar 22 14:56 config.json
-rwxr-xr-x 1 geotools users 786544 Mar 18 09:42 j

Weird??

More forensic:


root at osgeo6:/var/tmp/   # file j
j: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=28ed31a04ec9c0f9e35c536cdbb6dfff922e9df3, stripped


root at osgeo6:/var/tmp/   # head -n 10 config.json
{
    "algo": "cryptonight",
    "av": 0,
    "background": true,
    "colors": true,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 0,
    "log-file": null,
    "max-cpu-usage": 100,



Gotcha!

I suggest that we take a series of countermeasures now.


Markus

-- 

Markus Neteler, PhD
http://www.mundialis.de - free data with free software
http://grass.osgeo.org
http://courses.neteler.org/blog

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20180509/1bca6763/attachment-0001.html>

More information about the Sac mailing list