Thousands of Linux systems infected by "perfctl" malware since 2021 (arstechnica.com)
from SuperFola@programming.dev to linux@lemmy.ml on 04 Oct 2024 09:32
https://programming.dev/post/20187879

TLDR: perfctl is a crypto mining and proxy jacking malware that exploits about 20’000 common missconfigurations to install itself on Linux servers. Mostly using a 10/10 CVE on Apache RocketMQ.

It is very persistent and can reinstall itself even when you have deleted all the perfctl and perfcc files. It hides itself by removing logs, network packets, and stopping all activity once you login to the machine.

Monitoring cpu usage using tools (I use net data on my server) can help identify infections (100% cpu usage when « idle »).

#linux

threaded - newest

NeoNachtwaechter@lemmy.world on 04 Oct 2024 10:49 next collapse

However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds

OK so you just need to stay logged in - Solved :)

pezhore@lemmy.ml on 04 Oct 2024 12:17 next collapse

tmux and a <ctrl>-<b><d> - done!

TDCN@feddit.dk on 04 Oct 2024 15:29 collapse

…Me avoiding responsibilities…

Enkers@sh.itjust.works on 04 Oct 2024 15:50 collapse 

//TODO: remove perfctl

There, that should fix it.

delirious_owl@discuss.online on 04 Oct 2024 16:09 collapse

You say that, but I always leave screen sessions open

Cysioland@lemmygrad.ml on 04 Oct 2024 20:51 next collapse

Honestly, if true, it’s so insidious

theshatterstone54@feddit.uk on 05 Oct 2024 08:05 next collapse

Maybe not related but I had an issie with wireplumber where it would suddenly take up any free CPU resources and use them up, jacking up my cpu usage up to crazy high numbers, often to 100% at times where the expected cpu usage would be at 20% at most.

I haven’t experienced this in the last week or so, so maybe it was fixed in an update? I’m on Fedora, btw. I just wanted to share, so I can find out if anyone else had the same issue.

[deleted] on 05 Oct 2024 08:29 next collapse

.

LeLachs@lemmy.ml on 05 Oct 2024 08:55 collapse

Sounds pretty scary to me. The thing has full control over your computer (if infected) and is nearly undetectable.

[deleted] on 05 Oct 2024 08:59 collapse

.

Jimmycrackcrack@lemmy.ml on 06 Oct 2024 04:38 next collapse

The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

So, is it a fairly decent antivirus mixed in with all the malware?

JustMarkov@lemmy.ml on 06 Oct 2024 04:44 next collapse

There can only be one.

Sarcasmo220@lemmy.ml on 06 Oct 2024 05:01 collapse

There can only be… NONE!

0oWow@lemm.ee on 06 Oct 2024 20:56 collapse

Sounds like Windows Defender

digdilem@lemmy.ml on 06 Oct 2024 09:37 next collapse

Surely y’all have monitoring and alerts for excessive cpu load already?

SuperFola@programming.dev on 06 Oct 2024 09:49 collapse

On my own server at home, yes. Because that’s important for me to know what’s going on and not discover something by chance weeks later.

Kajika@lemmy.ml on 07 Oct 2024 08:29 collapse

I will never understand people using 3rdparty MQ and RPC implementations. What a a PR for rocketMQ right here.

You can and you should implement your communication protocols, most of the time 3rdparties are very wasteful and a security liability. I like ZeroMQ (zeromq.org), they have amazing tech guides (zguide.zeromq.org). I still mostly do my own code.

I may have trust issues but sockets are not THAT hard, they’re just amzaingly frustrating to debug, not as much as debuging 3rdparty code.