• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Massive CPU usage from a service

Scheduled Pinned Locked Moved Solved
Linux Problems
3
14
619
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    LLamaPie
    last edited by Sep 9, 2024, 6:11 PM

    658f811a-201d-4054-9fe0-4fef84361e95-image.png

    Running Fog Version: 1.5.10.15
    Linux: Debian 12

    Over the last week, we have noticed a massive spike in the CPU usage on our FOG Server VM. See the screenshot. I am unable to find what the process is or why it is using so much CPU.

    www-data user appears to be part of the web server but .systmd doesn’t appear to relate to anything (at least that I can find). I will kill the process and it will just come back up shortly after. Killing it does not appear to affect fog either.

    Does anyone have any clue what this is?

    T L 2 Replies Last reply Sep 9, 2024, 6:44 PM Reply Quote 0
    • T
      Tom Elliott @LLamaPie
      last edited by Sep 9, 2024, 6:44 PM

      @LLamaPie I am pretty sure this isn’t something FOG is doing. I don’t know of a command named .systmd and seems questionable at best. The fact that it’s being used and spawned by www-data is real hmmm if you ask me.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      L 1 Reply Last reply Sep 9, 2024, 6:50 PM Reply Quote 0
      • L
        LLamaPie @Tom Elliott
        last edited by Sep 9, 2024, 6:50 PM

        @Tom-Elliott Yep, that is what I was worried about. Worst case I need to nuke the server and rebuild.

        T 1 Reply Last reply Sep 9, 2024, 6:54 PM Reply Quote 0
        • T
          Tom Elliott @LLamaPie
          last edited by Sep 9, 2024, 6:54 PM

          @LLamaPie If you can get the backup db and images of course. I don’t think they’re affected, but whatever is relaying is using a ton of CPU. so at least not a full startover I think.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          L 1 Reply Last reply Sep 9, 2024, 7:18 PM Reply Quote 1
          • L
            LLamaPie @Tom Elliott
            last edited by Sep 9, 2024, 7:18 PM

            @Tom-Elliott Well Sophos found this:

            11acb2bb-e051-400e-a4bd-f176bb09f83d-image.png

            G 1 Reply Last reply Sep 9, 2024, 8:37 PM Reply Quote 0
            • G
              george1421 Moderator @LLamaPie
              last edited by Sep 9, 2024, 8:37 PM

              @LLamaPie

              /var/www/html/fog/management/.sys

              Is not something that FOG creates. ref: https://github.com/FOGProject/fogproject/tree/stable/packages/web/management

              .sys file / directory name means the directory is hidden unless you use the command ls -la /var/www/html/fog/management also .systmd is a hidden file made to represent systemd application.

              I did find this article: https://sarperavci.com/ironshade-writeup-tryhackme/

              So the question is how was this server compromised and if we don’t know it will probably happen again. What version of FOG did you have installed?

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

              T 1 Reply Last reply Sep 9, 2024, 9:38 PM Reply Quote 0
              • T
                Tom Elliott @george1421
                last edited by Sep 9, 2024, 9:38 PM

                @george1421 Running Fog Version: 1.5.10.15

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                G 1 Reply Last reply Sep 9, 2024, 11:17 PM Reply Quote 1
                • G
                  george1421 Moderator @Tom Elliott
                  last edited by Sep 9, 2024, 11:17 PM

                  @Tom-Elliott The key is that its post the security update for FOG.

                  The question I have is:

                  1. How did that file/malware get onto the server
                  2. Why did it pick that specific path to hide in.
                  3. When was the server compromised. The date on the files in that directory may give us a clue.
                  4. Could it happen again? We don’t know because we don’t know how it was installed.

                  It almost seems intentional and deliberate to pick that specific path. I don’t think apache normally has write access to that path.

                  @OP is your fog server exposed directly to the internet?

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  L 1 Reply Last reply Sep 10, 2024, 11:36 AM Reply Quote 1
                  • L
                    LLamaPie @george1421
                    last edited by Sep 10, 2024, 11:36 AM

                    @george1421 Nope, that is what is baffling us as well. The server is local only and locked down. No one outside the network should be able to access it.

                    It’s hard to say when it was compromised but we did notice the sudden spike in resource usage 1-2 weeks ago. The server is largely left alone as it does what it needs to do. Beyond running updates on occasion, no changes are made. I will keep an eye on things. I just know after Sophos cleaned up the issue yesterday it has been fine. It’s too soon to say for sure.

                    What I can possibly do is scan some of our long-term back ups to figure out how long it’s been infected. We will want to discard them anyway. I’ll see what I can do.

                    T G 2 Replies Last reply Sep 10, 2024, 1:55 PM Reply Quote 0
                    • T
                      Tom Elliott @LLamaPie
                      last edited by Sep 10, 2024, 1:55 PM

                      @LLamaPie Based on what I see of the issue is it possible the server is this service too?
                      https://sarperavci.com/Froxlor-Authenticated-RCE/

                      I don’t know what Froxlor is, but the lol.php and .systmd that you saw seems to point that somebody was trying to do some bitcoin mining possibly?

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      L 1 Reply Last reply Sep 10, 2024, 2:01 PM Reply Quote 0
                      • L
                        LLamaPie @Tom Elliott
                        last edited by Sep 10, 2024, 2:01 PM

                        @Tom-Elliott Yea the “coinminer config” that Sophos nuked + the 400% CPU usage makes me think it was being used to do some sort of mining.

                        1 Reply Last reply Reply Quote 0
                        • G
                          george1421 Moderator @LLamaPie
                          last edited by Sep 10, 2024, 10:27 PM

                          @LLamaPie Well keep an eye on it, my concern is that there is a bug in php that allowed this to happen some how. Its in the http path and not the nfs path. Hopefully you will scan and or keep an eye on the cpu usage. When you detect a change surely review the apache logs both error and access as well as login logs to abnormal activity.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                          1 Reply Last reply Reply Quote 1
                          • L
                            LLamaPie @LLamaPie
                            last edited by LLamaPie Sep 11, 2024, 6:14 AM Sep 11, 2024, 12:14 PM

                            @george1421 Yep, can do. I’ll keep you guys posted. So far it’s been fine since Sophos cleaned it.

                            L 1 Reply Last reply Sep 16, 2024, 12:37 PM Reply Quote 0
                            • L
                              LLamaPie @LLamaPie
                              last edited by Sep 16, 2024, 12:37 PM

                              @LLamaPie Everything has been clean now for about a week. I would consider this at least resolved on our end. Still no answer about when it became compromised exactly. Our hyper-paranoid theory is it may have been a “time bomb”. This could have been on the server for months before popping up. Our long-term solution is keeping endpoint protection in place. I have nothing else to add but if I discover anything I will let everyone know.

                              1 Reply Last reply Reply Quote 2
                              • [[undefined-on, G george1421, Sep 16, 2024, 8:44 PM]]
                              • A AUTH IT Center referenced this topic on Sep 20, 2024, 11:18 AM
                              • G george1421 referenced this topic on Sep 20, 2024, 8:39 PM
                              • 1 / 1
                              1 / 1
                              • First post
                                6/14
                                Last post

                              160

                              Online

                              12.0k

                              Users

                              17.3k

                              Topics

                              155.2k

                              Posts
                              Copyright © 2012-2024 FOG Project