SABnzbd Forums


http://45.79.196.47/

Cron consistently maxing out cpu under user sabnzbd

http://45.79.196.47/viewtopic.php?t=24481

Page 1 of 1

Cron consistently maxing out cpu under user sabnzbd

Posted: October 28th, 2019, 1:43 pm
by regder
Trying to figure out what's going on here. Just noticed it, but couldn't have been been happening for more than a couple weeks. This is on Ubuntu server

Sabnzbd isn't doing anything active, killing the Sabnzbd process doesn't stop the cron process. Killing the pid stops it, but the high cpu returns about a minute after reboot. If I don't do anything, cron will stay there pegged at 400% cpu usage

Appreciate any help

Code: Select all

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                        
 1881 sabnzbd   20   0   76344   8408    752 S 399.7   0.1  20:46.45 cron

Code: Select all

sudo lsof -p 1881
COMMAND  PID    USER   FD      TYPE DEVICE SIZE/OFF    NODE NAME
cron    1881 sabnzbd  cwd       DIR    8,2     4096       2 /
cron    1881 sabnzbd  rtd       DIR    8,2     4096       2 /
cron    1881 sabnzbd  txt       REG    8,2  1666120 3017154 /home/sabnzbd/.nullcache/a/cron
cron    1881 sabnzbd    0r      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    1w      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    2w      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    3u  a_inode   0,13        0   11923 [eventpoll]
cron    1881 sabnzbd    4r     FIFO   0,12      0t0   40001 pipe
cron    1881 sabnzbd    5w     FIFO   0,12      0t0   40001 pipe
cron    1881 sabnzbd    6r     FIFO   0,12      0t0   28598 pipe
cron    1881 sabnzbd    7w     FIFO   0,12      0t0   28598 pipe
cron    1881 sabnzbd    8u  a_inode   0,13        0   11923 [eventfd]
cron    1881 sabnzbd    9r      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd   10u     sock    0,9      0t0   40680 protocol: TCP
cron    1881 sabnzbd   11u     sock    0,9      0t0   44157 protocol: TCP

Code: Select all

ps -u sabnzbd
  PID TTY          TIME CMD
  948 ?        00:00:14 mono
 1510 ?        00:00:04 sabnzbdplus
 1600 ?        00:00:00 rsync
 1881 ?        01:41:57 cron

Re: Cron consistently maxing out cpu under user sabnzbd

Posted: October 28th, 2019, 5:02 pm
by regder
Looks like I have me a virus. Below was in the cron file for user sabnzbd. Running clamav found Multios.Coinminer.Miner-6781728-2

Code: Select all

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Thu Oct 24 10:34:35 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 0 */3 * * /home/sabnzbd/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/sabnzbd/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/sabnzbd/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/sabnzbd/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Re: Cron consistently maxing out cpu under user sabnzbd

Posted: October 28th, 2019, 5:31 pm
by sander
Looks like I have me a virus. Below was in the cron file for user sabnzbd. Running clamav found Multios.Coinminer.Miner-6781728-2

Ah ... "congrats" ... 8)

See https://blog.sucuri.net/2019/10/cryptom ... ugins.html

Re: Cron consistently maxing out cpu under user sabnzbd

Posted: October 28th, 2019, 5:50 pm
by regder
sander wrote: October 28th, 2019, 5:31 pm Ah ... "congrats" ... 8)

See https://blog.sucuri.net/2019/10/cryptom ... ugins.html
lol, thanks...

From what I have found, it looks like it was a brute force attack that gained access through the sabnzbd user. I have since changed the sabnzbd user password and locked down which users can ssh into my server.

Hope that's going to be enough.
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited