Thousands of Linux systems infected by "perfctl" malware since 2021 - eviltoast

TLDR: perfctl is a crypto mining and proxy jacking malware that exploits about 20’000 common missconfigurations to install itself on Linux servers. Mostly using a 10/10 CVE on Apache RocketMQ.

It is very persistent and can reinstall itself even when you have deleted all the perfctl and perfcc files. It hides itself by removing logs, network packets, and stopping all activity once you login to the machine.

Monitoring cpu usage using tools (I use net data on my server) can help identify infections (100% cpu usage when « idle »).

  • Kajika@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    I will never understand people using 3rdparty MQ and RPC implementations. What a a PR for rocketMQ right here.

    You can and you should implement your communication protocols, most of the time 3rdparties are very wasteful and a security liability. I like ZeroMQ (https://zeromq.org/), they have amazing tech guides (https://zguide.zeromq.org/). I still mostly do my own code.

    I may have trust issues but sockets are not THAT hard, they’re just amzaingly frustrating to debug, not as much as debuging 3rdparty code.