[SOLVED] kswapd0 using all CPU resources

Skwll

New Member
Apr 9, 2021
9
0
1
21
I solved this, it was a Virus!
I was able to remove it with the help of this article.


Hello

I have proxmox installed on a server that has a AMD® Ryzen™ 5 3600 6c/12t @3.60GHz, 64 GB RAM and 2 x 480 GB NVME.
On it there is 1 Windows 2019 Server running, 1 Ubuntu server and a owncloud cluster. Those VMs I restored from a backup of an old server. I dont have access to that server anymore.

Now what I am trying to solve is this:
MobaXterm_Personal_20.6_9C7preaPqa.png
kswapd0 keeps using all CPU power of the whole server, I taskkilled it multiple times but it keeps coming back the other day or after 5-6 Hours.

I tried to reinstall the ballooning service on the windows server 2 times and now completely disabled the service and rebooted the server.
But it still does showing too much ram on the web GUI: (yes I did the setup of the ballooning correctly)
1617960575834.png
I think that the kswapd0 issue comes from this. I am not 100% sure because I should have disabled it.
Is there a way to restart the memory ballooning on the proxmox server?
What can I do to solve this? The other linux servers are running with no problems.
 
Last edited:

aaron

Proxmox Staff Member
Staff member
Jun 3, 2019
2,058
269
83
Thanks for sharing the solution :)
Please make sure to figure out how your server got compromised. You should consider reinstalling it from scratch as there is no guarantee that whoever had access, did place some other backdoors.
 
  • Like
Reactions: Skwll

Skwll

New Member
Apr 9, 2021
9
0
1
21
Thanks for sharing the solution :)
Please make sure to figure out how your server got compromised. You should consider reinstalling it from scratch as there is no guarantee that whoever had access, did place some other backdoors.
The only thing I could think of is that maybe someone got access via ssh once.
Proxmox got installed from the hosting Support and I never did anything else on the server than running proxmox.
But they did use a less secure root password (I changed it after 2 days using it)
I already set up fail2ban in that time because I saw in the auth log that the server gets attacked by bruteforcers.
After I removed the virus I deleted ssh keys and changed root password.
I think it should be good for now else I will have to reinstall it like you said.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!