this post was submitted on 04 Oct 2024

144 points (95.0% liked)

Linux

47591 readers

1235 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

144

Thousands of Linux systems infected by "perfctl" malware since 2021 (arstechnica.com)

submitted 3 days ago by [email protected] to c/[email protected]

15 comments fedilink hide all child comments

TLDR: perfctl is a crypto mining and proxy jacking malware that exploits about 20’000 common missconfigurations to install itself on Linux servers. Mostly using a 10/10 CVE on Apache RocketMQ.

It is very persistent and can reinstall itself even when you have deleted all the perfctl and perfcc files. It hides itself by removing logs, network packets, and stopping all activity once you login to the machine.

Monitoring cpu usage using tools (I use net data on my server) can help identify infections (100% cpu usage when « idle »).

all 17 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 3 hours ago* (last edited 3 hours ago)

I will never understand people using 3rdparty MQ and RPC implementations. What a a PR for rocketMQ right here.

You can and you should implement your communication protocols, most of the time 3rdparties are very wasteful and a security liability. I like ZeroMQ (https://zeromq.org/), they have amazing tech guides (https://zguide.zeromq.org/). I still mostly do my own code.

I may have trust issues but sockets are not THAT hard, they're just amzaingly frustrating to debug, not as much as debuging 3rdparty code.

[–] [email protected] 13 points 1 day ago (2 children)

The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

So, is it a fairly decent antivirus mixed in with all the malware?

[–] [email protected] 1 points 15 hours ago

Sounds like Windows Defender

[–] [email protected] 7 points 1 day ago (1 children)

There can only be one.

[–] [email protected] 1 points 1 day ago

There can only be... NONE!

[–] [email protected] 2 points 1 day ago (1 children)

Surely y'all have monitoring and alerts for excessive cpu load already?

[–] [email protected] 2 points 1 day ago

On my own server at home, yes. Because that’s important for me to know what’s going on and not discover something by chance weeks later.

[–] NeoNachtwaechter 53 points 3 days ago (2 children)

However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds

OK so you just need to stay logged in - Solved :)

[–] [email protected] 14 points 3 days ago (1 children)

tmux and a <ctrl>-<b><d> - done!

[–] [email protected] 13 points 2 days ago (1 children)

....Me avoiding responsibilities....

[–] [email protected] 27 points 2 days ago

//TODO: remove perfctl

There, that should fix it.

[–] [email protected] 5 points 2 days ago

You say that, but I always leave screen sessions open

[–] [email protected] 3 points 2 days ago* (last edited 2 days ago)

Maybe not related but I had an issie with wireplumber where it would suddenly take up any free CPU resources and use them up, jacking up my cpu usage up to crazy high numbers, often to 100% at times where the expected cpu usage would be at 20% at most.

I haven't experienced this in the last week or so, so maybe it was fixed in an update? I'm on Fedora, btw. I just wanted to share, so I can find out if anyone else had the same issue.