A crypto-mining process keeps appearing on server
Solution 1
Redis has a well know remote code execution vulnerability if you do not enable authentication.
This article has more information on your exact issue.
Solution 2
The really good question is: What did you install?
There is a good chance you installed an application infected with or vulnerable to this cryptomining software. This can also be in Docker images.
So uninstall everything (or reinstall a blank image might be even better), and monitor your server while installing stuff. You should see a huge CPU spike when you install the infected cryptomining software.
EDIT: If you installed an older and vulnerable version of ElasticSearch (or an unofficial Docker image), the answer is pretty obvious: Install the latest, official and security patched version.
EDIT 2: TheHermit has the correct answer here, as it is the redis process that hosts the cryptomining exploit.
Related videos on Youtube
07 : 46
05 : 32
06 : 59
16 : 01
20 : 01
Simple Fellow
Updated on September 18, 2022Comments
-
Simple Fellow almost 2 years
I recently started using a remote Ubuntu server for development and testing machine. However the hosting provider reported a crypto mining process was running and he had to shut down the server.
There were no logs or any data that could identify that process or anything that could help figure out what happened. Then it happened again, but this time they captured this:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 246369 redis 20 0 13928 11444 908 S 746.7 0.2 62801:13 /tmp/kmv --pool pool.hashvault.pro:80 --username TRTLv2TW8sjC5LmSpiDdRZ2ndnEwPRpJ9Lgz3vgGY2CTSLkLeKAUFMefEeT6idQBxzSLsXfAvAqfhH5zkxMM3sHu2RL8xh1n5Pg --password x --algorithm chukwa_v2The only ports that are open are Redis port, 6379.
admin@nicotine2:~$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 9200 DENY Anywhere 6379/tcp ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 9200 (v6) DENY Anywhere (v6) 6379/tcp (v6) ALLOW Anywhere (v6)When I checked, there was no
/tmp/kmvfolder anywhere to be found. This has happened for the 2nd time.Any clues, recommendations or suggestions to avoid this?
-
Simple Fellow almost 3 yearselastic search and redis. redis was installed from the ubuntu repository with apt-get command
-
Artur Meinild almost 3 yearsAnd what about Elastic? There was an earlier vulnerability where Elastic was targeted by a crypto mining bot, and pool.hashvault.pro is a Monero mining pool, so maybe there is a connection? -
Artur Meinild almost 3 yearsFrom the screenshot, you are of course correct - it's Redis that has been exploited and is consuming all CPU.
-
Simple Fellow almost 3 yearsI don't know as you can see port 9200 is already blocked earlier. But the question is how to avoid this in future
-
gronostaj almost 3 yearsRunning any non-public service on the Internet without authentication is a bad idea.
-
user253751 almost 3 years@gronostaj tell that to all the unsecured HTTPS servers. They just let anyone fetch pages without a login! Even Ask Ubuntu is vulnerable.
-
gronostaj almost 3 years@user253751 Hence "non-public" in my comment.
