Cron consistently maxing out cpu under user sabnzbd

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
regder
Newbie
Newbie
Posts: 11
Joined: December 9th, 2018, 3:09 pm

Cron consistently maxing out cpu under user sabnzbd

Post by regder »

Trying to figure out what's going on here. Just noticed it, but couldn't have been been happening for more than a couple weeks. This is on Ubuntu server

Sabnzbd isn't doing anything active, killing the Sabnzbd process doesn't stop the cron process. Killing the pid stops it, but the high cpu returns about a minute after reboot. If I don't do anything, cron will stay there pegged at 400% cpu usage

Appreciate any help

Code: Select all

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                                                                        
 1881 sabnzbd   20   0   76344   8408    752 S 399.7   0.1  20:46.45 cron

Code: Select all

sudo lsof -p 1881
COMMAND  PID    USER   FD      TYPE DEVICE SIZE/OFF    NODE NAME
cron    1881 sabnzbd  cwd       DIR    8,2     4096       2 /
cron    1881 sabnzbd  rtd       DIR    8,2     4096       2 /
cron    1881 sabnzbd  txt       REG    8,2  1666120 3017154 /home/sabnzbd/.nullcache/a/cron
cron    1881 sabnzbd    0r      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    1w      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    2w      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd    3u  a_inode   0,13        0   11923 [eventpoll]
cron    1881 sabnzbd    4r     FIFO   0,12      0t0   40001 pipe
cron    1881 sabnzbd    5w     FIFO   0,12      0t0   40001 pipe
cron    1881 sabnzbd    6r     FIFO   0,12      0t0   28598 pipe
cron    1881 sabnzbd    7w     FIFO   0,12      0t0   28598 pipe
cron    1881 sabnzbd    8u  a_inode   0,13        0   11923 [eventfd]
cron    1881 sabnzbd    9r      CHR    1,3      0t0       6 /dev/null
cron    1881 sabnzbd   10u     sock    0,9      0t0   40680 protocol: TCP
cron    1881 sabnzbd   11u     sock    0,9      0t0   44157 protocol: TCP

Code: Select all

ps -u sabnzbd
  PID TTY          TIME CMD
  948 ?        00:00:14 mono
 1510 ?        00:00:04 sabnzbdplus
 1600 ?        00:00:00 rsync
 1881 ?        01:41:57 cron
regder
Newbie
Newbie
Posts: 11
Joined: December 9th, 2018, 3:09 pm

Re: Cron consistently maxing out cpu under user sabnzbd

Post by regder »

Looks like I have me a virus. Below was in the cron file for user sabnzbd. Running clamav found Multios.Coinminer.Miner-6781728-2

Code: Select all

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Thu Oct 24 10:34:35 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 0 */3 * * /home/sabnzbd/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/sabnzbd/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/sabnzbd/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/sabnzbd/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Cron consistently maxing out cpu under user sabnzbd

Post by sander »

Looks like I have me a virus. Below was in the cron file for user sabnzbd. Running clamav found Multios.Coinminer.Miner-6781728-2

Ah ... "congrats" ... 8)

See https://blog.sucuri.net/2019/10/cryptom ... ugins.html
regder
Newbie
Newbie
Posts: 11
Joined: December 9th, 2018, 3:09 pm

Re: Cron consistently maxing out cpu under user sabnzbd

Post by regder »

sander wrote: October 28th, 2019, 5:31 pm Ah ... "congrats" ... 8)

See https://blog.sucuri.net/2019/10/cryptom ... ugins.html
lol, thanks...

From what I have found, it looks like it was a brute force attack that gained access through the sabnzbd user. I have since changed the sabnzbd user password and locked down which users can ssh into my server.

Hope that's going to be enough.
Post Reply