New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I'm guessing you have been hacked, thats likely your server being used in a DDoS.
what should I do, apart from reinstalling the whole os?
any idea how to pinpoint the binary and delete it? i tried to delete the gsd binary. it still relaunch itself.
That's the Gnome Shell.
Are you running Gnome by chance?
Are you running this by chance?
https://gsd.readthedocs.io/en/stable/installation.html (Python Related)
Please leave it running.
With our software we empowered you to become a citizen scientist by donating your unused computer power.
We're running blockcha... I mean simulations of proteins, the molecular machines that perform most of the active processes we associate with life.
Please note that our software is completely free and easy to install.
(hopefully not...just realized it was running as root lol)
In your htop, highlight it and press L
As @Petey_Long maybe python?
gsd Command 'gsd' not found, but can be installed with: sudo apt install python3-gsdCould also
sudo type -a gsdto find it. Or try pressing 'l' on it process to get more info.or
ps -a -u -x -w -e | grep gsd(Flags are like this due to LET blocking it being grouped.)or check in
sudo ls -l /proc/PID FROM HTOP OR PS/exeIf not certain a strace may reveal what its doing.
Auto restarting as root makes me immediately think its nothing good (but its not 100%)
Probably hacked and had a crypto miner installed. I did a temp OS install with an easy password on a server a while back to do a quick test, and within minutes it had been hacked and had a crypto miner installed pretending to be "Opera". I nuked that install immediately.
Run this command to get the path to the executable:
readlink -f /proc/$(pgrep -n gsd)/exeYou can then do some simple analysis on it like running the
stringscommand on it and skimming through or filtering the output.You could also upload that gsd file somewhere so someone can analyze it.
Did you install or try to install a desktop UI/Gnome on this VPS?
If you are on a deb system, try running
dpkg -l | grep -i gsdIt may be just that and you are ramping the VPS with the gnome desktop ui?
However, If it is a hacked server otherwise, my suggestion would be to consider reinstalling the OS from zero, and your applications from backups. Make sure you properly harden your server and applications to avoid getting hacked.
FWIW a search on brave: https://search.brave.com/search?q=linux+process+gsd&source=web&summary=1&summary_og=eb37b208ef80a009158105
That's the gnome settings daemon. (Not hacked.... I've seen that here people use "hacked" for anything).
Just remove the gnome shell and you are good to go.
"Gnome Setting Daemon", exactly...
Well then, case closed! Nothing to see here guys... It's just the gnome settings daemon, on a server which probably has no desktop and X server installed, which just happens to be using 100% of half the servers cores under the name of an executable which would be commonly found on desktop machines, exactly like most crypto miners that get installed on hacked servers.
You wouldn't happen to be the non-hacker that installed that totally legit gnome settings daemon process on his server, would you?
Since you are so sure of hacking, are you that non hacker that installed the "hidden crypto miner" in OPs server? Because if you indeed done it, who else are in a better position to testify than the man himself.... Isn't it?
So what's your statement regarding this?
It was me. Trying to help recoup $22k in crypto. Don't mind me.
@yokowasis
You could find the path of that binary first by
readlink -f /proc/(change this to the pid)/exethen
and post the result of the above command here, maybe we can help you guess what actually it is.
hello. yes, it s possible.
i can giv u state men with hidden crypto, its no problem.
reguard
it's definitely not gnome daemon. I don't use gnome. The closest thin to gnome that I can think of is, I installed xfce and vncserver. I doubt it's that.
I tried this, it says something about executable deleted.
What happens after a reboot? Is it persistent?
What's your os? Use package manager to search for gsd. If nothing, then start forensics.
inspect output, etc.
Seems that if you are pwnd at root, you will have to DR this from a fresh install and use best practice security hardening. Trying to clean up a root pwned OS is an uphill battle that you never know if you are fully cleared. Unencrypted VNC connections will be a Man-in-the-middle vulnerability. Using simple passwords instead of fully random seed for ssh and VNC also a bad idea. Use ssh rsa keys and disable root password in sshd_config. Use firewall best practices, and consider AV clamav scanning, on and on.
As already suggested find the binary path via readlink -f /proc/$(pgrep -n gsd)/exe
Try to remove it (backup it previously), and if after removing binary and killall processes, process spawn again as well as binary file (with the same or different path), then your system probably compromised and fresh install required. Normal Linux processes does not restore it's binary after you delete them.
Hi, I think I found this forum a bit too late...
In December 2024, I detected a process named gsd on some servers. This is a crypto mining malicious program that exploits your CPU.
I’ve created some scripts to help remove it completely: https://github.com/kade93/eliminate-gsd-crypto-hack
An unknown public key may also exist if your server has been infected with this process.
It’s recommended to remove all authorized keys and delete any files related to
gsd.if the above has happened to your server, you need to reinstall it from clean media and then restore data backups to it, only.
Yes, I agree. I’ve created scripts for those who cannot reinstall the system immediately (like me—my entire cluster was infected
).
Who are interested in inspecting this process ? see my blog posts.
https://kade.im/blog/16571659-3274-8078-8a12-f5c9811c841a