My YunoHost server
Yunohost 11.1.2.2 (testing)
VPS Hetzner CX 31 (8Go RAM 2 vCPU intel)
Interface admin + SSH`
How I caught the malware ?
I really don’t know… so I am seriously concerned. There are very few testimonials on the internet about this malware.
I don’t know what this malware did, but it ended up using all the ram and cpu. The process had “ROOT” rights…
I don’t know how it got the “ROOT” rights, but I wonder if it’s because of a root access via ssh by password that I enabled for a few months before the infection. Since then, my root access is via public key.
Steps to remove the perfctl malware
After months of regular mysql crashes caused by memory and cpu saturation (read the initial topics here and here), I finally managed to identify and remove this malware. Since 8 days, no more problems (my server reached saturation after a few days and then mysql crashed)
- delete
perfcc
line in crontab (usecrontab -e
command ) - run the following commands :
rm /usr/bin/perfcc
rm /root/.config/cron/perfcc
rm /etc/cron.*/perfclean
rm /etc/cron.*/perfcc
reboot
The file named perfcc
can be elsewhere. Check it with locate perfcc
command.