Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 1425 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall CPU constantly at 100%

Frank Wijmans1

Hi folks,

We've got a couple of UTM firewalls running for several customers and we've noticed that some of those are running constantly at 100% CPU load.

These UTM firewalls all have different versions running, somewhere between 9.5 and 9.7. And after checking the running processes we've noticed the culprit seems to be the proces called 'xmrig'. I'm note familiar with this process but if you do a simple search on google, you'll get all kinds of crypto miner hits, suggesting this process is being used/abused to mine cryptos.

When we deployed a fresh UTM firewall, we noticed this process is available/running from the start. So I'm guessing this proces has been around on the UTM firewalls for some time. Does the UTM even use this process itself or is it just part of the Linux distro?

Anybody else encountered this behaviour before? Is it safe to assume these firewalls have been compromised, or are we way off base?

Cheers,

Frank



This thread was automatically locked due to age.
  • 0

    We were discussing the 100% issue here last year and saw with a few UTMs that the issue was related to Up2Date.  Turning that off seemed to turn down the CPU usage.  I've seen another where the log files are astronomical in size.  I would start there and see.

    The only reference that I found to xmrig related to Sophos (search at the top of the page) was related to some updated definitions.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0

    If you found a vulnerable version and webadmin is exposed to internet ... you have a crypto-miner. ... at least ... if you are lucky

    One option to place a malware is to replace a regular process. Middleware will load the malware wile trying to restart the stopped process.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Hoi Frank and welcome to the UTM Community!

    Wat did Sophos Support say about this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML