Sunday, February 20, 2022

[SOLVED] vmlinuz process runs on 100% CPU

Issue

I'm running a Jira and a Confluence instance (and nginx reverse proxy) on a VPS. Currently, I can't start the confluence for some reason and I think this is a consequence of something else.

I've checked the process list:

enter image description here

The confluence user running the /boot/vmlinuz process and it eats the CPU. If I kill -9 this process it starts again a few seconds later.

After reboot the VPS:

  1. Confluence and Jira started automatically.
  2. Confluence is running a few seconds correctly then something kills the process. The Jira process is still running.
  3. The /boot/vmlinuz process starts.

I've removed the Confluence from the automatic start, but it doesn't matter.

So my questions:

  • What is this /boot/vmlinuz process? I never saw this. (Yes I know, the vmlinuz is the kernel)
  • Why is starting over and over again and runs on 100% CPU?
  • What should I do to get back the normal behavior and may I start the Confluence?

Thanks any for answer

UPDATE

It caused by a hack. If you find a /tmp/seasame file, your server is infected. It uses the cron to download this file. I've removed the files in the /tmp folder, killed all the processes, disabled the cron for the confluence user, and updated the Confluence.


Solution

Your server looks like hacked. Please take a look on process list closely. e.g. run ps auxc and take a look on process binary sources.

You can use tools like rkhunter to scan your server but in general you should at the beginning kill everything that has been lunched as confluence user, scan your server/account, upgrade your confluence (in most cases user determinate source of attack), and look in your confluence for additional accounts etc.

Is you would like to see what is in that process, take a look on /proc e.g. in ls -la /proc/996. You will see source binary there too. You can also lunch strace -ff -p 996 to see what process is doing or cat /proc/996/exe | strings to see what strings that binary have. This is probably some kind of botnet part, miner etc.



Answered By - Mariusz Dalewski
Answer Checked By - Marie Seifert (WPSolving Admin)
at