All Products
Search
Document Center

Abnormal CPU utilization on an ECS instance that runs Linux (mining programs such as minerd and tplink)

Last Updated: Nov 20, 2020

This topic describes how to troubleshoot abnormal CPU utilization on an Elastic Compute Service (ECS) instance that runs Linux.

Problem description

The CPU utilization of an ECS instance exceeds 70% and even reaches 100%. As a result, the ECS instance slows down.

Notice

The following possible causes are for reference only. Attackers may use different means of attack. Technical engineers must analyze the causes based on actual scenarios.

Possible causes

  • Malicious processes, such as minerd or tplink, run on the ECS instance.

    These Bitcoin mining processes are maliciously installed after the ECS instance is compromised. The processes are usually found in the /tmp/ directory.

    You can use the following methods to check whether the processes are running:

    • Run the top command on the ECS instance.

      The following figure shows the command output.top commandThe command output shows the minerd process, which consumes huge CPU resources. In other scenarios, the tplink process may be found.

    • Run the ps command on the ECS instance.

      If the command output of top does not show the malicious processes, run the ps command instead.

      The following figure shows the command output.The command output shows the minerd process. If you have not started the process, it may have been installed because the ECS instance is compromised.

  • Malicious modules are installed and hidden on the ECS instance.

    Attackers hack into the ECS instance with the rootkit program. They install and hide mining programs on the ECS instance. As a result, the CPU utilization surges to 90% or even 100%. In this scenario, the top or ps command cannot be used to detect the hidden modules.

Solutions

  • Handle the minerd and tplink processes.

    1. Run the kill command to stop the detected process.

    2. Run the following command to locate the directory of the process by using the PID. Then, delete the files of the process.

      ls -l /proc/$PID/exe

      $PID specifies the ID of the process. You can obtain the ID by running the ps or top command.

      Note

      We recommend that you continue to enhance server security and optimize code to prevent servers from being compromised due to program vulnerabilities.

  • Handle the malicious modules that are hidden.

    This type of module includes raid.ko, iptable_mac.ko, snd_pcs.ko, usb_pcs.ko, and ipv6_kac.ko. You can run the file /lib/udev/usb_control/... command to check whether the preceding modules exist.

    For example, run the following command to check whether the iptable_mac.ko module exists:

    file /lib/udev/usb_control/iptable_mac.ko

    The following figure shows the command output. The iptable_mac.ko module is detected.iptable_mac.ko

References

For more information about how to troubleshoot similar issues on ECS instances that run Windows, see Best practices for managing mining programs.