Marc-Pierre-Barbier
commented
1 year ago i moved my save and configs to another vm and used the official fabric server launcher and so far nothing strange is visible.
i believe it's an option in the config of server starter that is problematic
I run all my servers in isolated virtual machines and in the virtual machine dedicated to this mod pack i found a new file called "libprocesshider.so" which is a library to hide processes.
i found suspicious to have this installed on my machine, so i check which packages installed it. the result: none. it was manually installed without using my distribution's package manager.
so i removed it and reboot. Upon rebooting, i opened htop to see which new processes appeared. and I found 6 new processes that were called "bash" after check theirs executables in /proc i discovered that they had NOTHING to do with bash.
the first process i looked at was using a cgroup called pwnrigl i found no references to that group apart from https://gist.github.com/Gsealy/2c8ad20f49009c649f662b14e6825d51 and https://miloserdov.org/?p=6971. the high cpu usage and the gist github repo lead me to believe this is a crypto miner.
Something is probably hidden in this. I have yet to find how it gets installed, but one thing is sure: the entry point is the modpack.