Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Any idea what is this process ? it has high cpu usage
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Any idea what is this process ? it has high cpu usage

I tried to kill it, it respawn instantly. any idea how to diagnostic this process ?

Comments

  • SplitIceSplitIce Member, Host Rep

    I'm guessing you have been hacked, thats likely your server being used in a DDoS.

  • @SplitIce said:
    I'm guessing you have been hacked, thats likely your server being used in a DDoS.

    what should I do, apart from reinstalling the whole os?

    any idea how to pinpoint the binary and delete it? i tried to delete the gsd binary. it still relaunch itself.

  • That's the Gnome Shell.

    Are you running Gnome by chance?

  • Are you running this by chance?

    https://gsd.readthedocs.io/en/stable/installation.html (Python Related)

  • @yokowasis said:
    I tried to kill it, it respawn instantly

    Please leave it running.

    With our software we empowered you to become a citizen scientist by donating your unused computer power.

    We're running blockcha... I mean simulations of proteins, the molecular machines that perform most of the active processes we associate with life.

    Please note that our software is completely free and easy to install.

    Thanked by 1Chuck
  • @Petey_Long said:
    Are you running this by chance?

    https://gsd.readthedocs.io/en/stable/installation.html (Python Related)

    (hopefully not...just realized it was running as root lol)

  • @yokowasis said:

    @SplitIce said:
    I'm guessing you have been hacked, thats likely your server being used in a DDoS.

    any idea how to pinpoint the binary and delete it?

    In your htop, highlight it and press L

  • Kevinf100Kevinf100 Member
    edited September 13

    As @Petey_Long maybe python?
    gsd Command 'gsd' not found, but can be installed with: sudo apt install python3-gsd

    Could also sudo type -a gsd to find it. Or try pressing 'l' on it process to get more info.

    or ps -a -u -x -w -e | grep gsd (Flags are like this due to LET blocking it being grouped.)

    or check in sudo ls -l /proc/PID FROM HTOP OR PS/exe

  • SplitIceSplitIce Member, Host Rep

    If not certain a strace may reveal what its doing.

    Auto restarting as root makes me immediately think its nothing good (but its not 100%)

  • CybrCybr Member
    edited September 14

    Probably hacked and had a crypto miner installed. I did a temp OS install with an easy password on a server a while back to do a quick test, and within minutes it had been hacked and had a crypto miner installed pretending to be "Opera". I nuked that install immediately.

    Run this command to get the path to the executable: readlink -f /proc/$(pgrep -n gsd)/exe

    You can then do some simple analysis on it like running the strings command on it and skimming through or filtering the output.

    You could also upload that gsd file somewhere so someone can analyze it.

    Thanked by 1Chuck
  • CharityHost_orgCharityHost_org Member, Patron Provider
    edited September 14

    Did you install or try to install a desktop UI/Gnome on this VPS?

    If you are on a deb system, try running dpkg -l | grep -i gsd

    It may be just that and you are ramping the VPS with the gnome desktop ui?

    However, If it is a hacked server otherwise, my suggestion would be to consider reinstalling the OS from zero, and your applications from backups. Make sure you properly harden your server and applications to avoid getting hacked.

    FWIW a search on brave: https://search.brave.com/search?q=linux+process+gsd&source=web&summary=1&summary_og=eb37b208ef80a009158105

  • That's the gnome settings daemon. (Not hacked.... I've seen that here people use "hacked" for anything).

    Just remove the gnome shell and you are good to go.

  • CharityHost_orgCharityHost_org Member, Patron Provider
    edited September 14

    "Gnome Setting Daemon", exactly...

  • @itachikonoha said:
    That's the gnome settings daemon. (Not hacked.... I've seen that here people use "hacked" for anything).

    Well then, case closed! Nothing to see here guys... It's just the gnome settings daemon, on a server which probably has no desktop and X server installed, which just happens to be using 100% of half the servers cores under the name of an executable which would be commonly found on desktop machines, exactly like most crypto miners that get installed on hacked servers.

    You wouldn't happen to be the non-hacker that installed that totally legit gnome settings daemon process on his server, would you?

  • @Cybr said:

    @itachikonoha said:
    That's the gnome settings daemon. (Not hacked.... I've seen that here people use "hacked" for anything).

    Well then, case closed! Nothing to see here guys... It's just the gnome settings daemon, on a server which probably has no desktop and X server installed, which just happens to be using 100% of half the servers cores under the name of an executable which would be commonly found on desktop machines, exactly like most crypto miners that get installed on hacked servers.

    You wouldn't happen to be the non-hacker that installed that totally legit gnome settings daemon process on his server, would you?

    Since you are so sure of hacking, are you that non hacker that installed the "hidden crypto miner" in OPs server? Because if you indeed done it, who else are in a better position to testify than the man himself.... Isn't it?

    So what's your statement regarding this?

  • It was me. Trying to help recoup $22k in crypto. Don't mind me.

  • xxslxxsl Member, LIR
    edited September 14

    @yokowasis

    You could find the path of that binary first by
    readlink -f /proc/(change this to the pid)/exe

    then

    file (path of that binary)
    
    ldd (path of that binary)
    

    and post the result of the above command here, maybe we can help you guess what actually it is.

    Thanked by 1quicksilver03
  • @itachikonoha said:
    So what's your statement regarding this?

    hello. yes, it s possible.

    i can giv u state men with hidden crypto, its no problem.

    reguard

  • it's definitely not gnome daemon. I don't use gnome. The closest thin to gnome that I can think of is, I installed xfce and vncserver. I doubt it's that.

    @darkimmortal said:
    In your htop, highlight it and press L

    I tried this, it says something about executable deleted.

  • @yokowasis said:
    it's definitely not gnome daemon. I don't use gnome. The closest thin to gnome that I can think of is, I installed xfce and vncserver. I doubt it's that.

    @darkimmortal said:
    In your htop, highlight it and press L

    I tried this, it says something about executable deleted.

    What happens after a reboot? Is it persistent?

  • CharityHost_orgCharityHost_org Member, Patron Provider
    edited September 15

    What's your os? Use package manager to search for gsd. If nothing, then start forensics.

    find / -name gsd
    
    strace -p <PID> -o strace-gsd-output
    

    inspect output, etc.

    Seems that if you are pwnd at root, you will have to DR this from a fresh install and use best practice security hardening. Trying to clean up a root pwned OS is an uphill battle that you never know if you are fully cleared. Unencrypted VNC connections will be a Man-in-the-middle vulnerability. Using simple passwords instead of fully random seed for ssh and VNC also a bad idea. Use ssh rsa keys and disable root password in sshd_config. Use firewall best practices, and consider AV clamav scanning, on and on.

  • vsys_hostvsys_host Member, Patron Provider

    As already suggested find the binary path via readlink -f /proc/$(pgrep -n gsd)/exe
    Try to remove it (backup it previously), and if after removing binary and killall processes, process spawn again as well as binary file (with the same or different path), then your system probably compromised and fresh install required. Normal Linux processes does not restore it's binary after you delete them.

Sign In or Register to comment.