100 cpu usage /opt/yam



  • Hello
    I have been using pfsense for a hvile now when I logged in today cpu usage was 100 and to identical process/command were taking it all but I don't know what they are:
    /opt/yam -c 2 -m stratum+tcp://thevoid2….

    Was is it and why is it using all of my cpu. I have searched here and google and can't fint that command

    Thanks


  • Netgate

    Google says it looks like a bitcoin miner. It is certainly not something from a default install or legitimate package.

    Did you change the default password?

    Did you open up https webgui or ssh or any other firewall-hosted services to the Internet?



  • I have standard firewall settings. Ssh is enabled but is it open from the outside by default? Yes I have changed the password. I am running openvpn as well.

    How is it possible for someone to get into the machine?


  • Galactic Empire Netgate

    @Chris-tia-n:

    I have standard firewall settings. Ssh is enabled but is it open from the outside by default? Yes I have changed the password. I am running openvpn as well.

    How is it possible for someone to get into the machine?

    Not possible without seriously flawed configuration. Someone had to get access to your router and install the mining software.



  • Ok so if I haven't changed anything in the default firewall settings it must be something else. I have pfsense installed on unraid Maybe unraid have exposed Something through the wan port.

    Unraid is bridging the wan port to pfsense is that a problem? Should it be passed through directly to be secure? Pfsense is the only vm running on the server right now.


  • Galactic Empire Netgate

    @Chris-tia-n:

    Ok so if I haven't changed anything in the default firewall settings it must be something else. I have pfsense installed on unraid Maybe unraid have exposed Something through the wan port.

    Unraid is bridging the wan port to pfsense is that a problem? Should it be passed through directly to be secure? Pfsense is the only vm running on the server right now.

    It could be, however I would need more information about your network layout. How did you configure unraid and pfSense? If the host is compromised then all the virtual machines are in danger of being compromised as well.



  • I did some test. When I restart unraid ssh and the web configurable is accessible from the internet.

    Thank you for your help. I will buy a Ethernet card so I can pass it directly to pfsense and not through unraid.


  • Netgate

    Also choosing a stronger password is probably in order.

    Use a password generator like Keychain Access, Lastpass, etc.


  • Banned

    Yeah, and key + pass auth for everything internet facing.

    There was a thread not too long ago where a users pfSense box was accessed via VPN with a weak password.

    Use keys anywhere you can.