MBilling Suddenly Started Using 100% CPU #690
Comments
|
Pretty sure you were hacked. If I were to guess, that mbilling file is a renamed crypto miner, and is thus using all your CPU to mine bitcoint or anything else. The file mbilling.conf should contain the address of the pool which the miner should be posting to. You can try using lsof -p (in your case, lsof -p 1852) to find the related files to this process, so you can find what else is running and how to delete it. |
Thank you very much. The way attacker put it really felt like Magnus Billing was using all that CPU. On inspecting the code, it is really a crypto miner, thanks again. |
|
you are hacked. y has the same problem, any idea to prevent are hacked? |
|
Yes....
Check these parameters for Magnus billing work 100% is necessary to change.
Change the php.ini file
Basic Security Settings
; Restricts PHP scripts from running outside the designated directory
open_basedir = "/var/www/html:/tmp"
; Prevents dangerous functions from running
disable_functions =
exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
; Disables dynamic loading of extensions
enable_dl = Off
; Disables displaying errors on the screen to prevent information exposure
display_errors = Off
; Sends errors to internal logs
log_errors = On
error_log = /var/log/php_errors.log
; Input and Output Settings
; Limits the maximum file upload size
upload_max_filesize = 2M
post_max_size = 8M
; Restricts file upload permissions
file_uploads = Off
; Remote Code Execution Settings
; Blocks remote file execution via URL
allow_url_fopen = Off
allow_url_include = Off
; Session Settings
; Uses secure cookies and sets session policies
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
; Memory and Execution Settings
; Limits memory usage per script
memory_limit = 128M
; Sets a time limit for script execution
max_execution_time = 30
max_input_time = 30
; Information Exposure Settings
; Prevents PHP version exposure
expose_php = Off
Em qui., 14 de nov. de 2024 às 22:15, atorresa ***@***.***>
escreveu:
… you are hacked. y has the same problem, any idea to prevent are hacked?
—
Reply to this email directly, view it on GitHub
<#690 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGZ7W5HDWGDONC32JASXM432AVDJLAVCNFSM6AAAAABR2CF6GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINZXG42TEOJSGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
i find 3 php.ini files, what is the php file to change |
|
The vulnerability was located a while ago, here is the solution to remote command execution, I hope. https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-30258 |
|
i install new machine using Debian 12 and the las version of magnus with the same behavior, i see calls from magnus to my users, tring to register. i don't know how to secure the magnus magnus and debian are full upgraded |
Our system was running smoothly, and had very low amount of usage, but suddenly, mbilling is using all the CPU cores 100%.
I checked server logs, but couldn't find anything that could be causing it.
The text was updated successfully, but these errors were encountered: