Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] A strange static/static process takes up very high CPU - Cyberpanel 2.3 #1394

Open
datnd299 opened this issue Jan 13, 2025 · 2 comments
Open

[BUG] A strange static/static process takes up very high CPU - Cyberpanel 2.3 #1394

datnd299 opened this issue Jan 13, 2025 · 2 comments

Comments

@datnd299
Copy link

Summary
Recently I discovered that a static/static process appears on my server taking up a lot of CPU. I don't know where the executable file is and I can't shutdown it.

Details
I have 2 different servers with only cyberpanel installed to manage my wordpress websites. Both of these servers are occupied by this static/static process, which runs as root. I tried restarting a server, that server crashed and wouldn't restart again

PoC
I don't know how to reproduce it

Impact
My server is running very slow, it may not be possible to turn it back on if it is turned off
image
@Orgoth
Copy link

Orgoth commented Jan 13, 2025

can you get a clearer view on these processes with ps?

ps -FLww -p 716724

or

cat /proc/716724/status

Can you also check what the static contains?
for example: miner or xmrig, or other clue what it could be

@datnd299
Copy link
Author

image

Name:   static
Umask:  0022
State:  S (sleeping)
Tgid:   716724
Ngid:   0
Pid:    716724
PPid:   1
TracerPid:      0
Uid:    0       0       0       0
Gid:    5001    5001    5001    5001
FDSize: 64
Groups: 998 5001 65534
NStgid: 716724
NSpid:  716724
NSpgid: 590795
NSsid:  590795
VmPeak:  2460160 kB
VmSize:  2457924 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:   2415784 kB
VmRSS:   2415724 kB
RssAnon:         2408912 kB
RssFile:            6812 kB
RssShmem:              0 kB
VmData:  2449796 kB
VmStk:       132 kB
VmExe:      5940 kB
VmLib:       128 kB
VmPTE:      4800 kB
VmSwap:        0 kB
HugetlbPages:          0 kB
CoreDumping:    0
THP_enabled:    1
Threads:        22
SigQ:   0/256433
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000180001004
SigCgt: 000000000000460b
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Seccomp:        0
Speculation_Store_Bypass:       thread vulnerable
Cpus_allowed:   ffff
Cpus_allowed_list:      0-15
Mems_allowed:   00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list:      0
voluntary_ctxt_switches:        1759250
nonvoluntary_ctxt_switches:     873

this is report
On my 2 servers, only cyberpanel is installed and this malware runs as root, so I suspect it infiltrates through cyberpanel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Orgoth @datnd299