CPU 100% when the server is running

[zwingser]

Describe the bug when the server is running . cpu up to 100%, and these process is called.

im using the docker all in one deployment . i can reproduce it in x86 and arm server .

at the begining , its ok ,after about 2weeks it happend.

To Reproduce Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context Add any other context about the problem here.

[dege88]

Looks like your server got hacked with a criptominer: https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu

[zwingser]

this is the only server i deploy on my vps ,and this is a new vps from oracle arm machine.

and when the OpenMU server is shutdown . the problem solved .

so , i think there mast be some problems inside the contianer .

[sven-n]

I'm sorry that this happened to you. Can you give us some information about how exactly you deployed that all-in-one with docker compose?

• Which ports does the container actually expose?
• Did you change the admin panel password?

[zwingser]

I'm sorry that this happened to you. Can you give us some information about how exactly you deployed that all-in-one with docker compose?

• Which ports does the container actually expose?
• Did you change the admin panel password?

1. i modify the ports .
2. i didnt change the password of admin panel 3.this is my startup script:
3. and this is the compose file( only the 80 port was modified):

[sven-n]

Okay, I don't know how this cryptominer actually sneaked into that container, but I highly recommend to change the admin panel password.

[lucasfcnunes]

Okay, I don't know how this cryptominer actually sneaked into that container, but I highly recommend to change the admin panel password.

@sven-n Is that specific to @zwingser container/setup or a CVE in the MUnique/OpenMU project?

[lucasfcnunes]

Nothing detected here for now (on 91f97a0d0803).

[sven-n]

Unfortunately, I found a way how to get some code into the server when the admin panel is accessible. I fixed it for now. However, I'm not sure if that was the attack vector. @zwingser Can you check if there is any result for this query on the database? SELECT * FROM config."PlugInConfiguration" WHERE "CustomPlugInSource" is not null

[zwingser]

Unfortunately, I found a way how to get some code into the server when the admin panel is accessible. I fixed it for now. However, I'm not sure if that was the attack vector. @zwingser Can you check if there is any result for this query on the database? SELECT * FROM config."PlugInConfiguration" WHERE "CustomPlugInSource" is not null

yesterday i remove the image & container & volumes , so i can not check it now . i can try to rebuild it ,but im not sure when it will happen again.

[sven-n]

Okay, I'm closing this issue for now. If it happens again, open a new one or comment here.

[sven-n]

We found a way how a crypto miner could come into that. It was the exposed postgres port in traefik deployment, see #435.

@zwingser But you used the "normal" deployment with nginx, right? In that case, we also might have to change something to keep the postgres database more private than it already is.