Perfctl uses 100% cpu usage

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.1
Webmin version 2.001
Virtualmin version 7.3-1
Related packages SUGGESTED

@Joe @Ilia

perfctl uses 100% cpu usage. Please see screenshot

@anuj9122,

This isn’t part of Virtualmin… Not sure what kind of help you are looking for.

1 Like

perfctl uses 100% cpu usage. is this malware ( perfctl )?

@anuj9122,

Maybe, do a Google search.

1 Like

It appears to be malware.

Read this thread.

It’s being run by user projectok. Seems like you should ask them what it is. If it is malware, they presumably got in via some web app run by that user (or via a weak password for that user). If the attacker got root, you probably wouldn’t see any obvious clues, since they could hide their processes and files. :man_shrugging:

Anyway, it’s not related to Virtualmin, as Peter mentioned. We don’t know anything about it. I’ve never heard of perfctl.

@Randomz

I checked the link, due to this link. I am asking here.

@Joe

This is my home server. projectok is my primary domain and root user. Still is it possible to trace processes and files?

Well, it’s clearly not your root user, because if your root user were compromised they wouldn’t be showing you their processes. As I said, an attacker that gains root can hide themselves almost completely. You won’t know they’re there, until your host shuts you down for sending spam or DDoSing others. It appears they got in with the projectok user (which is not root, even if it has sudo privileges…hopefully requiring a password). If they got root, you would have to format and reinstall your system. There is no other way to be reasonably sure it is cleaned up.

“trace” in what sense?

Checking the log for that domain would be a good first start on figuring out where it came from.

strace can tell you what the program is doing. You can attach to a running process with strace -p <pid>. This can be very chattery, and it isn’t very readable unless you’re a programmer familiar with C and the Linux or UNIX APIs. But, you might see it accessing files that give you some other clues.

You can also use WireShark (tshark would be the appropriate tool for a server, since you probably don’t have Gnome installed, I’m not sure what package that’s in on Ubuntu) to sniff what packets it’s sending out…so you can see where it’s sending data.

If the attacker has not (yet) obtained root, you can kill their processes and clean it up in the user home, as long as you’re careful and get it all (if you leave anything behind, it’ll just reinstall itself, most likely…attackers generally have a kit of tools they install that includes tools to recover itself from being shutdown or deleted).