TLDR: perfctl is a crypto mining and proxy jacking malware that exploits about 20’000 common missconfigurations to install itself on Linux servers. Mostly using a 10/10 CVE on Apache RocketMQ.

It is very persistent and can reinstall itself even when you have deleted all the perfctl and perfcc files. It hides itself by removing logs, network packets, and stopping all activity once you login to the machine.

Monitoring cpu usage using tools (I use net data on my server) can help identify infections (100% cpu usage when « idle »).

  • Jimmycrackcrack@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    15 hours ago

    The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

    So, is it a fairly decent antivirus mixed in with all the malware?

  • digdilem@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 hours ago

    Surely y’all have monitoring and alerts for excessive cpu load already?

    • SuperFola@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 hours ago

      On my own server at home, yes. Because that’s important for me to know what’s going on and not discover something by chance weeks later.

  • theshatterstone54@feddit.uk
    link
    fedilink
    arrow-up
    7
    arrow-down
    2
    ·
    edit-2
    1 day ago

    Maybe not related but I had an issie with wireplumber where it would suddenly take up any free CPU resources and use them up, jacking up my cpu usage up to crazy high numbers, often to 100% at times where the expected cpu usage would be at 20% at most.

    I haven’t experienced this in the last week or so, so maybe it was fixed in an update? I’m on Fedora, btw. I just wanted to share, so I can find out if anyone else had the same issue.

  • NeoNachtwaechter@lemmy.world
    link
    fedilink
    arrow-up
    51
    ·
    2 days ago

    However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds

    OK so you just need to stay logged in - Solved :)

    • LeLachs@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 day ago

      Sounds pretty scary to me. The thing has full control over your computer (if infected) and is nearly undetectable.

        • Mwa@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 day ago

          Ig this was for linux servers nvm I didn’t read it correctly it’s actually quite scary ignore what i said