Join Log in
Score:1
merlin avatar Server

100% CPU load caused by service "perfctl"

in flag
merlin

I am running a dedicated High Performance AMD Server with Ubuntu 20.04. since a few months.

Suddenly tonight CPU shoot up to 100% until the point that I killed the service "perfctl" that appeared at 2am in the morning.

I am running Apparmor:

apparmor module is loaded.
8 profiles are loaded.
8 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /{,usr/}sbin/dhclient
   lsb_release
   nvidia_modprobe
   nvidia_modprobe//kmod
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/mysqld (1124) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

What could have caused this and how can this be prevented in the future?

cpu load

services runningafter killing the service

231
0 + 0
Score:1
avatar Server
cn flag
shearn89

The fact that the user is www is a bit suspect. Are you running AppArmor? Are you running a web service that is exposed to the public?

This looks to me like your server is compromised, and someone has used the www user to run a binary they've called perfctl to hide it's identity.

You may want to read How do I deal with a compromised server?

0 + 0
merlin avatar
in flag
merlin
That doesn't sound good. After killing the service it came back a few hours later, two times. Same name of process. I updated Word-Press and all Plugins of it, as well as the System itself (ubuntu 20.04.4). The user www is only running apache with a wordpress page only. Plugins have been about 6 months behind with updates and the server about 4 weeks. I checked for logins with that user, none. However the "nologin" option was not set for it, which I now did, plust set a pw for it. I still hope that this is enough,setting up the server is a multi day task. I am running apparmor.Any other ideas?
0
Reply
cn flag
shearn89
Updating after the fact is not much use - whoever compromised your server probably still has access, and updating the system won't remove any installed malware.
0
Reply
merlin avatar
in flag
merlin
Ok, understood. Hoever only the user www is affected. Would it be of use to delete the user and all its files? From my understanding without root access the non privileged user www can not touch any other parts of the system.
0
Reply
cn flag
shearn89
"without root access the non privileged user www can not touch any other parts of the system." - this assumes they didn't exploit the server whilst it was 6 months behind on patches... How you deal with this is up to your risk tolerance. I would be deleting the server and reprovisioning.
0
Reply
merlin avatar
in flag
merlin
no the server was max 4 weeks behind patches.
0
Reply
cn flag
shearn89
"Plugins have been about 6 months behind with updates"
0
Reply
merlin avatar
in flag
merlin
Word Press plugins not Linux
0
Reply
Score:0
Cody Chang avatar Server
us flag
Cody Chang

I have encountered the same malware.

You can try to check the all cronjob task whether is suspicious or not.

  • check the cron job list with all user
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

I found the malware with above command then you should remove it.

www
11 * * * * /home/www/.config/cron/perfcc
0 + 0
cn flag
shearn89
You can never be too sure with malware - if you've been using any kind of automated provisioning for your server, then I would strongly advise destroying the instance and rebuilding, or wiping and reinstalling if bare metal. If you're not using automated provisioning/infrastructure as code - now's the time!
0
Reply
John Greene avatar
cn flag
John Greene
And check the `/etc/rc.local` for any changes that might be trying to keep them malware alive after reboot.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.