My Box hacked from cryptocurrency miner

A.Atef

@harvy66
i stopped all service and no client connected , the same error .i using 32 CPUs whith HP server Proliant 930 Gen9

ivor

Where did you search for it? Did you find any process running on your pfSense box indicating an issue?

gzorn

https://doc.pfsense.org/index.php/High_Load_Troubleshooting

As on that page, use 'top' to identify the process or processes that are responsible for the high load. That will give at least some idea of the next step. Also, a miner would be making weird network connections to its pool, which you could examine in pftop, presumably.

gsmornot

@gzorn
You said CPU so you want to look in System Activity.

AndyC

@a-atef said in My Box hacked from cryptocurrency miner:

![after last Update my Box increase CPU usage from 5% to 65% ,
when i searched about the reason I found cryptocurrency miner is caused this >

I saw the screenshot posted on facebook, and indeed there was a 'minerd' running.
Have you tried to kill the process? Does it start again?

ivor

I've seen that screenshot on Facebook, however there's no information provided from Mr. Atef about his configuration, not here or on Facebook.

• How did you configure your pfSense appliance? What packages and services are you running?
• Did you allow remote access to everyone?
• Did you enable ssh and how complex password did you use? How many people have access to your pfSense device?

We need more details. In fact, if you would be willing to send us your config file, we could examine it. You could also send us your whole status, simply add /status.php to your router IP and download it.

Thanks.

motific

In the spirit of making sure people get the whole story.

Ahmed asked about initially about high CPU load on the pfsense official facebook group and was asked to check top from the CLI - a screenshot was posted showing a minerd instance consuming the lion's share of the CPU cycles. So we know for sure it's a cryptominer at work.

He was advised to rebuild the box, he replied that he had done so and that the problem persisted. I have asked him to confirm that he actually did rebuild the box as I suspect a language issue that 'reboot' (shutdown then restart) may have been mixed up with 'rebuild' (wipe then reinstall).

A.Atef

chrismacmahon

Hello, I'm from the Global Support team at Netgate, can you open a ticket at https://go.netgate.com/support/login we would like to take a look at your issue.

chrismacmahon

We looked over the config and there were some design issues that allowed the attacker to gain access and install minerd, we have made some suggestions on a redesign.

This was NOT a flaw in our software, but human error.