MBilling Suddenly Started Using 100% CPU #690
Comments
|
Pretty sure you were hacked. If I were to guess, that mbilling file is a renamed crypto miner, and is thus using all your CPU to mine bitcoint or anything else. The file mbilling.conf should contain the address of the pool which the miner should be posting to. You can try using lsof -p (in your case, lsof -p 1852) to find the related files to this process, so you can find what else is running and how to delete it. |
Thank you very much. The way attacker put it really felt like Magnus Billing was using all that CPU. On inspecting the code, it is really a crypto miner, thanks again. |
|
you are hacked. y has the same problem, any idea to prevent are hacked? |
|
Yes....
Check these parameters for Magnus billing work 100% is necessary to change.
Change the php.ini file
Basic Security Settings
; Restricts PHP scripts from running outside the designated directory
open_basedir = "/var/www/html:/tmp"
; Prevents dangerous functions from running
disable_functions =
exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
; Disables dynamic loading of extensions
enable_dl = Off
; Disables displaying errors on the screen to prevent information exposure
display_errors = Off
; Sends errors to internal logs
log_errors = On
error_log = /var/log/php_errors.log
; Input and Output Settings
; Limits the maximum file upload size
upload_max_filesize = 2M
post_max_size = 8M
; Restricts file upload permissions
file_uploads = Off
; Remote Code Execution Settings
; Blocks remote file execution via URL
allow_url_fopen = Off
allow_url_include = Off
; Session Settings
; Uses secure cookies and sets session policies
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
; Memory and Execution Settings
; Limits memory usage per script
memory_limit = 128M
; Sets a time limit for script execution
max_execution_time = 30
max_input_time = 30
; Information Exposure Settings
; Prevents PHP version exposure
expose_php = Off
Em qui., 14 de nov. de 2024 às 22:15, atorresa ***@***.***>
escreveu:
… you are hacked. y has the same problem, any idea to prevent are hacked?
—
Reply to this email directly, view it on GitHub
<#690 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGZ7W5HDWGDONC32JASXM432AVDJLAVCNFSM6AAAAABR2CF6GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINZXG42TEOJSGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
i find 3 php.ini files, what is the php file to change |
|
The vulnerability was located a while ago, here is the solution to remote command execution, I hope. https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2023-30258 |
|
i install new machine using Debian 12 and the las version of magnus with the same behavior, i see calls from magnus to my users, tring to register. i don't know how to secure the magnus magnus and debian are full upgraded |
ADDED ALL THIS In php.ini and not mbilling web is not working/loading,, i am getting hacked again and again, sometimes files get into lib folder, and sometimes in Assets folder.. i have updated mbilling , still its the same.. getting hacked again and again.. any solution for this? i am using Centos 7. |
|
delete lib/icepay/icepay.php but this fix does not appear in the main branch. This project is abandoned, in my opinion |
|
can someone tell me how to fix this.. i already delete lib/icepay/icepay.php |
|
In my experience, the mining script is already installed despite having deleted the aforementioned file, check the lib and temp folders, check them carefully, the files have the name magnusbilling if I remember correctly. But it could damage your magnusbilling if you delete legitimate files. |
|
Can you check from my anydesk/ please help me out,
…On Mon, 27 Jan 2025, 4:03 pm williamfjm, ***@***.***> wrote:
In my experience, the mining script is already installed despite having
deleted the aforementioned file, check the lib and temp folders, check them
carefully, the files have the name magnusbilling if I remember correctly.
But it could damage your magnusbilling if you delete legitimate files.
Checking htop also gives clues about the origin of the program that
consumes the resources.
—
Reply to this email directly, view it on GitHub
<#690 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASQGQTVDXIK4ODKXHCY3YWL2MYHAVAVCNFSM6AAAAABR2CF6GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJVGQ2DQNZYGA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
I understand the situation you are in. I also had a bad time because of these cybercriminals. I have some IP addresses that I identified as the origin of the attack, but I am not sure about publishing them here. Could you give me some way to send them to them? |
|
Email me
***@***.***
Whatsapp +923355819282
…On Mon, 27 Jan 2025, 7:53 pm williamfjm, ***@***.***> wrote:
I understand the situation you are in. I also had a bad time because of
these cybercriminals. I have some IP addresses that I identified as the
origin of the attack, but I am not sure about publishing them here. Could
you give me some way to send them to them?
—
Reply to this email directly, view it on GitHub
<#690 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASQGQTQLULCVEMZ6N5UDW5L2MZB6HAVCNFSM6AAAAABR2CF6GOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJVHE3TKOBZGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Our system was running smoothly, and had very low amount of usage, but suddenly, mbilling is using all the CPU cores 100%.
I checked server logs, but couldn't find anything that could be causing it.
The text was updated successfully, but these errors were encountered: