Welcome to the PufferPanel community forums! If you need help please register an account and post in the Support category.

Crontab 100% cpu load

  • Hello, pufferd do alot of cpu load(1 core is fully loaded) from today.

    And I have found, that stuff was added as crontab task. How and why?

    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (7815696ecbf.txt installed on Wed Aug 22 14:20:10 2018)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    30 * * * * /var/tmp/crontab-flush

    So after service stop it's still do the same load.
    alt text

    Can someone explain, what is it?

  • We do not do anything with cron.

    This sounds like someone put a malicious file in place. What is in var/tmp/crontab-flush.

    I bet it's a cpu miner, I've seen it happen before.

  • To expand on my previous answer:

    While pufferd does run as it's own user, no server is ran in a container unless explicitly defined to do so (docker templates). This means that any server that you run can have access to the underlying machine. However, it is ran as a user who does not have root access.

    What it seems like happened is you had a server which chose to place a file into /var/tmp (which anyone can read/write from) and install some script which probably is a cpu-miner.

  • Thank you for the answer. So yes, this is a CPU miner, and it is from one plugin for Minecraft server. It was too strange for me that miner has launched from pufferd user if honestly did not expect this

  • We do not run servers under their own user as there is no security in doing so. It also requires the daemon to run as root, which is not something we want to do (and would open up more attack vectors). This is why it's seen as running as pufferd.

  • @Slaand Could you please tell me which plugin has this malicious cpu-miner?
    I meet same problem and wish warn user not to use this plugin. Many thanks.

  • @PonyPC it could be any of your plugins.
    In my case bedwars plugin was malicious, if you don't have any, just check out this thing, it might help you:

Log in to reply