Open Lampard11 opened 3 hours ago
ccabrerar
commented
3 hours ago Pretty sure you were hacked. If I were to guess, that mbilling file is a renamed crypto miner, and is thus using all your CPU to mine bitcoint or anything else. The file mbilling.conf should contain the address of the pool which the miner should be posting to.
You can try using lsof -p
Lampard11
commented
3 hours ago Pretty sure you were hacked. If I were to guess, that mbilling file is a renamed crypto miner, and is thus using all your CPU to mine bitcoint or anything else. The file mbilling.conf should contain the address of the pool which the miner should be posting to.
You can try using lsof -p (in your case, lsof -p 1852) to find the related files to this process, so you can find what else is running and how to delete it.
Thank you very much. The way attacker put it really felt like Magnus Billing was using all that CPU. On inspecting the code, it is really a crypto miner, thanks again.
atorresa
commented
2 hours ago you are hacked. y has the same problem, any idea to prevent are hacked?
yurikurka
commented
55 minutes ago Yes....
Check these parameters for Magnus billing work 100% is necessary to change. Change the php.ini file
Basic Security Settings
; Restricts PHP scripts from running outside the designated directory open_basedir = "/var/www/html:/tmp"
; Prevents dangerous functions from running disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
; Disables dynamic loading of extensions enable_dl = Off
; Disables displaying errors on the screen to prevent information exposure display_errors = Off
; Sends errors to internal logs log_errors = On error_log = /var/log/php_errors.log
; Input and Output Settings
; Limits the maximum file upload size upload_max_filesize = 2M post_max_size = 8M
; Restricts file upload permissions file_uploads = Off
; Remote Code Execution Settings ; Blocks remote file execution via URL allow_url_fopen = Off allow_url_include = Off
; Session Settings ; Uses secure cookies and sets session policies session.cookie_httponly = 1 session.cookie_secure = 1 session.use_strict_mode = 1
; Memory and Execution Settings ; Limits memory usage per script memory_limit = 128M
; Sets a time limit for script execution max_execution_time = 30 max_input_time = 30
; Information Exposure Settings ; Prevents PHP version exposure expose_php = Off
Em qui., 14 de nov. de 2024 às 22:15, atorresa @.***> escreveu:
you are hacked. y has the same problem, any idea to prevent are hacked?
— Reply to this email directly, view it on GitHub https://github.com/magnussolution/magnusbilling7/issues/690#issuecomment-2477752920, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGZ7W5HDWGDONC32JASXM432AVDJLAVCNFSM6AAAAABR2CF6GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINZXG42TEOJSGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Our system was running smoothly, and had very low amount of usage, but suddenly, mbilling is using all the CPU cores 100%.
I checked server logs, but couldn't find anything that could be causing it.