1

I am running a dedicated High Performance AMD Server with Ubuntu 20.04. since a few months.

Suddenly tonight CPU shoot up to 100% until the point that I killed the service "perfctl" that appeared at 2am in the morning.

I am running Apparmor:

apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/mysqld (1124) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

What could have caused this and how can this be prevented in the future?

cpu load

services runningafter killing the service

merlin
  • 2,033
  • 11
  • 37
  • 72

2 Answers2

1

The fact that the user is www is a bit suspect. Are you running AppArmor? Are you running a web service that is exposed to the public?

This looks to me like your server is compromised, and someone has used the www user to run a binary they've called perfctl to hide it's identity.

You may want to read How do I deal with a compromised server?

shearn89
  • 3,143
  • 2
  • 14
  • 39
  • That doesn't sound good. After killing the service it came back a few hours later, two times. Same name of process. I updated Word-Press and all Plugins of it, as well as the System itself (ubuntu 20.04.4). The user www is only running apache with a wordpress page only. Plugins have been about 6 months behind with updates and the server about 4 weeks. I checked for logins with that user, none. However the "nologin" option was not set for it, which I now did, plust set a pw for it. I still hope that this is enough,setting up the server is a multi day task. I am running apparmor.Any other ideas? – merlin Mar 05 '22 at 18:25
  • Updating after the fact is not much use - whoever compromised your server probably still has access, and updating the system won't remove any installed malware. – shearn89 Mar 07 '22 at 08:37
  • Ok, understood. Hoever only the user www is affected. Would it be of use to delete the user and all its files? From my understanding without root access the non privileged user www can not touch any other parts of the system. – merlin Mar 07 '22 at 14:12
  • "without root access the non privileged user www can not touch any other parts of the system." - this assumes they didn't exploit the server whilst it was 6 months behind on patches... How you deal with this is up to your risk tolerance. I would be deleting the server and reprovisioning. – shearn89 Mar 07 '22 at 14:25
  • no the server was max 4 weeks behind patches. – merlin Mar 07 '22 at 14:39
  • "Plugins have been about 6 months behind with updates" – shearn89 Mar 07 '22 at 14:42
  • Word Press plugins not Linux – merlin Mar 07 '22 at 14:43
0

I have encountered the same malware.

You can try to check the all cronjob task whether is suspicious or not.

  • check the cron job list with all user
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

I found the malware with above command then you should remove it.

www
11 * * * * /home/www/.config/cron/perfcc
Cody Chang
  • 1