TeamAOF / All-of-Fabric-5

Modpack containing the latest & best of Fabric.
52 stars 28 forks source link

Server starter is very suspicious #543

Open Marc-Pierre-Barbier opened 1 year ago

Marc-Pierre-Barbier commented 1 year ago

I run all my servers in isolated virtual machines and in the virtual machine dedicated to this mod pack i found a new file called "libprocesshider.so" which is a library to hide processes.

i found suspicious to have this installed on my machine, so i check which packages installed it. the result: none. it was manually installed without using my distribution's package manager.

so i removed it and reboot. Upon rebooting, i opened htop to see which new processes appeared. and I found 6 new processes that were called "bash" after check theirs executables in /proc i discovered that they had NOTHING to do with bash.

the first process i looked at was using a cgroup called pwnrigl i found no references to that group apart from https://gist.github.com/Gsealy/2c8ad20f49009c649f662b14e6825d51 and https://miloserdov.org/?p=6971. the high cpu usage and the gist github repo lead me to believe this is a crypto miner.

Something is probably hidden in this. I have yet to find how it gets installed, but one thing is sure: the entry point is the modpack.

Marc-Pierre-Barbier commented 1 year ago

i moved my save and configs to another vm and used the official fabric server launcher and so far nothing strange is visible.

i believe it's an option in the config of server starter that is problematic