[SAC] High load "geotools" job on osgeo6: cryptonight at work

Markus Neteler neteler at osgeo.org
Sun Sep 16 07:32:10 PDT 2018


Hi SAC,

I just discovered:
on osgeo6 the cryptominer "j" running as "geotools" user is back :-(

Tasks: 522 total,   1 running, 520 sleeping,   1 stopped,   0 zombie
%Cpu(s): 50.3 us,  0.1 sy,  0.0 ni, 49.6 id,  0.0 wa,  0.0 hi,  0.0 si,
 0.0 st
KiB Mem:  13193000+total, 13111448+used,   815528 free,     8140 buffers
KiB Swap: 15622140 total,    18180 used, 15603960 free. 11951499+cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND

 2845 geotools  20   0 1219628  25032   2048 S  1200  0.0 100848:13 j


... stealing some of our resources.

It runs since:

root at osgeo6:~# ps -p 2845 -o pid,lstart,comm,cmd
  PID                  STARTED COMMAND         CMD
 2845 Mon Sep 10 11:11:51 2018 j               [ksoftirqd]

Clearly, "geotools" was connected that time, for 3 seconds:

root at osgeo6:~# last
...
root     pts/0        .............    Thu Sep 13 13:33 - 13:34  (00:00)
jmckenna pts/0        .............    Tue Sep 11 05:37 - 20:25  (14:48)
jmckenna pts/0        .............    Mon Sep 10 11:15 - 13:27  (02:11)
geotools pts/0        104.239.230.121  Mon Sep 10 11:09 - 11:12  (00:03)
root     pts/0        ...............  Mon Sep 10 11:07 - 11:08  (00:00)


I suggest that we put stronger measures this time:
Can we now agree that a password reset may be a good idea? Or, ssh key only.

Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20180916/518fc450/attachment.html>


More information about the Sac mailing list