CPU - 16 threads stuck at 100% [resolved]

Question

I use centos 8, mariadb 10.5, php 7.4

As you can see 16 threads are at 100% stucked there this very unsual normally my cpu are at 10-25% as constant.

here is a top image enter image description here

What is going on here ?

so looks like i didnt fix it it keeps coming back even after i disable redis

what is going on here ?

# crontab -l
0 8 * * * root /usr/bin/php /var/www/html/wp-cron.php and 

> # ls -la /tmp total 3888 drwxrwxrwt. 14 root  root     4096 Jan 28 21:51 . dr-xr-xr-x. 19 root  root     4096 Jan 20 16:35 .. drwxrwxrwt 
> 2 root  root     4096 Jan 20 11:55 .font-unix drwxr-xr-x   2 redis
> redis    4096 Jan 28 21:47 .ICEd-unix drwxrwxrwt   2 root  root    
> 4096 Jan 20 11:55 .ICE-unix
> -rwxr-xr-x   1 redis redis 3922304 Jan 28 21:47 kdevtmpfsi
> -rw-------   1 redis redis       0 Jan 28 18:00 linux.lock drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-chronyd.service-pfLMOx
> drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-httpd.service-ZsAdQu
> drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-memcached.service-xg2hBP
> drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-named.service-593azu
> drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-php-fpm.service-fM8F4O
> drwx------   3 root  root     4096 Jan 28 20:49
> systemd-private-ccaba531523740f8a142a533d87ffd1b-postfix.service-Bf2p49
> drwxrwxrwt   2 root  root     4096 Jan 20 11:55 .Test-unix drwxrwxrwt 
> 2 root  root     4096 Jan 20 11:55 .X11-unix drwxrwxrwt   2 root  root
> 4096 Jan 20 11:55 .XIM-unix

kdevtmpfsi this is miner or something who knows using a simple hack he managed to get in server using redis and put his mining crap here or who know what it is.

How i stop this from ever happening again

See the canonical Serverfault answer for handling a server breach: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server — Brennen Smith, Jan 28 '20 at 21:50
Can you confirm that they didn't leave anything behind to get back in? — Brennen Smith, Jan 29 '20 at 01:13

score 1 · Answer 1 · answered Jan 28 '20 at 19:30

1

That process is similar to a known crypto mining malware, are you using docker ? could you send the content of crontab -l and an ls -la /tmp

answered Jan 28 '20 at 19:30

Marcos Vera

56
2

i added the results in the question – Wed Jan 28 '20 at 20:52
you where right to bad I can't give you a +1 – Wed Jan 28 '20 at 21:01

score 0 · Answer 2 · answered Jan 28 '20 at 19:11

0

kill reddis process and let it relaunch because it has your CPU pegged at 100%. if you can, restart the machine.

answered Jan 28 '20 at 19:11

software is fun

306
3
6
14

yes i stop redis its just using to much cpu – Wed Jan 28 '20 at 20:12

score 0 · Accepted Answer · answered Jan 29 '20 at 00:56

0

He got in via redis

Solution: Use a strong password for redis and use protectedmode on

How to get him out ? kill -9 pid and check /tmp, /var/tmp and delete his files and replace them with a same name file

done

answered Jan 29 '20 at 00:56

Wed

15
9

CPU - 16 threads stuck at 100% [resolved]

3 Answers3