I'm facing an issue of high CPU usage after a reboot

[detachable]

Currently, I have two LXC containers and only one is running with 1 CPU. When the server restarted after some time CPU usage went to 83 - 84 % without performing any task. Please help me to fix this
Attaching out of the "top" command.

 

[xrobau]

That 'xrx' task is most likely a cryptominer. You can find more out about it by getting the process ID (9242, in that screenshot) and looking at /proc/9242 - specifically the cwd, and executable. That will let you find the file, and confirm what it is. If it IS a cryptominer, figure out how your machine was hacked, fix that, and then deploy a replacement with that issue fixed.

 

[detachable]

That 'xrx' task is most likely a cryptominer. You can find more out about it by getting the process ID (9242, in that screenshot) and looking at /proc/9242 - specifically the cwd, and executable. That will let you find the file, and confirm what it is. If it IS a cryptominer, figure out how your machine was hacked, fix that, and then deploy a replacement with that issue fixed.

How I can remove

 

[leesteken]

How I can remove

That process is running as root on your Proxmox host (and using 5 cores). If you did not install it then your Proxmox host is compromised. Erase everything, improve your security/firewall/passwords and install a fresh Proxmox.

 

[detachable]

That process is running as root on your Proxmox host (and using 5 cores). If you did not install it then your Proxmox host is compromised. Erase everything, improve your security/firewall/passwords and install a fresh Proxmox.

Thanks

 

[Dunuin]

I would also recommend to install fail2ban to prevent SSH bruteforcing, disable password logins for SSH and only use symetric encryption for authentification. In case you got a IPMI/BMC make sure that one is upgraded to a recent version. If you can't do that, because it is a EoL server, don't have that IPMI online and make it only available using VPN.

 

[detachable]

I would also recommend to install fail2ban to prevent SSH bruteforcing, disable password logins for SSH and only use symetric encryption for authentification. In case you got a IPMI/BMC make sure that one is upgraded to a recent version. If you can't do that, because it is a EoL server, don't have that IPMI online and make it only available using VPN.

Hi Dunuin,
thank you, I surely apply your suggestion. As I'm new here, want to figure out the issue as I put my host machine in the intranet and was not exposed to the internet so how do other people attack my host?

 

[xrobau]

Hi Dunuin,
thank you, I surely apply your suggestion. As I'm new here, want to figure out the issue as I put my host machine in the intranet and was not exposed to the internet so how do other people attack my host?

That's something for you to figure out! Maybe another machine is compromised on your network, maybe there's a port forward you're not expecting, there's any number of ways.

Unfortunately, that's not really something I feel I can help with - you'll need to figure that out yourself. But after you have figured it out, your best suggestion is to build a new machine.

However are you REALLY REALLY SURE that that cryptominer is running on the host, and not in a container? Have you double checked? If you're not sure, I would suggest you open a support ticket with Proxmox themselves, and ask them for (commercial) support. They'll be able to at least confirm where the cryptominer is, and may be able to give you an indication of how it got in.

 

[Dunuin]

"xrx" could a different things:
- X Remote eXecution
- some Xerox printer stuff
- a RX helper program
- ...
You should analyse that process binary and find out what it really is.

And if it is a LXC, then it must be run inside a privileged LXC, as unprivileged LXCs wouldn't be run by root.

 

[detachable]

Sure, basically I used my old machine to know more about proxmox. I haven't look into security & firewall configurations.
I think xrx are something malicious command and somebody added it as a cron, I kill the process it's restarted again after sometime.