JavaUpdate
110 views
Skip to first unread message
Maya Zbitneva
Jul 13, 2021, 4:26:39 AM7/13/21
to DSpace Technical Support
Good day!
Help me please to solve the following problem.
I have two running processes: java and JavaUpdate on my web server DSpace repository.
JavaUpdate consumes almost all resources of processor of my web server DSpace repository.
Can I kill JavaUpdate process so that my repository continues to work?
so that my repository does not stop working?
With respect,
Zbitnieva Maiia,
System administrator,
Ukraine.
Alan Orth
Jul 23, 2021, 6:39:18 AM7/23/21
to Maya Zbitneva, DSpace Technical Support
Dear Maya,
What kind of server is this? Is it Windows? There should not be any Java update service on Linux, as that is handled by the system's package manager.
Regards,
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/97497b49-5cd2-48e2-b329-915a48bffe8en%40googlegroups.com.
Maya Zbitneva
Jul 23, 2021, 8:45:50 AM7/23/21
to DSpace Technical Support
Thank you for the answer. I have Ubuntu web server. I installed openjdk. This process JavaUpdate consumes lots of hardware resources. I do not know how to kill forever this process. I found only how to decrease its priority.
пятница, 23 июля 2021 г. в 13:39:18 UTC+3, alan...@gmail.com:
Michael Plate
Jul 23, 2021, 9:36:20 AM7/23/21
to dspac...@googlegroups.com
Hi Maya,
Am 23.07.21 um 14:45 schrieb Maya Zbitneva:
I'd say this is a windows machine because on Linux there is no such process.
However, asking Google…
https://www.digitalocean.com/community/questions/javaupdates-taking-99-9-cpu-utilization-in-this-case-java-is-not-running-how-to-kill-the-event-permanently-or-alternate-solution
You might have a crypto miner on your machine.
CU
Michael
Am 23.07.21 um 14:45 schrieb Maya Zbitneva:
> Thank you for the answer. I have Ubuntu web server. I installed openjdk.
> This process JavaUpdate consumes lots of hardware resources. I do not
> know how to kill forever this process. I found only how to decrease its
> priority.
[…]
> This process JavaUpdate consumes lots of hardware resources. I do not
> know how to kill forever this process. I found only how to decrease its
> priority.
I'd say this is a windows machine because on Linux there is no such process.
However, asking Google…
https://www.digitalocean.com/community/questions/javaupdates-taking-99-9-cpu-utilization-in-this-case-java-is-not-running-how-to-kill-the-event-permanently-or-alternate-solution
You might have a crypto miner on your machine.
CU
Michael
Maya Zbitneva
Jul 28, 2021, 7:16:02 AM7/28/21
to DSpace Technical Support
Good day!
Michael, thank you very much for your professional consultation. It was real cryptominer in OS Ubuntu!
I succedeed to kill it. But I have the question about it.
How to find the vulnerability from which the malware got in?
Because even if I removed the malware, it can come again using the same vulnerability it exploited earlier.
Help me please, what security measures need to be taken to prevent the virus from entering the operating system again?
Zbitnieva Maiia,
System administrator,
Ukraine.
пятница, 23 июля 2021 г. в 16:36:20 UTC+3, Michael Plate:
Michael Plate
Jul 28, 2021, 9:31:58 AM7/28/21
to dspac...@googlegroups.com
Hi,
Am 28.07.21 um 13:16 schrieb Maya Zbitneva:
> I succedeed to kill it.
Do you have the user of the running process (ps -xau) ?
> But I have the question about it.
> How to find the vulnerability from which the malware got in?
That is the hard part. You can try http://www.chkrootkit.org/ (should be
in Ubuntu) but this also can produce false positives. It might also be
not the right tool…
If you have no idea, no log files or anything, IMHO:
----> Install a new machine !! <----
Make a new machine, setup (Apache / Nginx), Tomcat and after basically
running, copy the DSpace files.
Change passwords and hope nothing awful is copied to the new machine.
Keep it closed - only https and ssh, keep the logins local (no Windows
join).
> Because even if I removed the malware, it can come again using the same
> vulnerability it exploited earlier.
This is what makes admins sleep bad.
> Help me please, what security measures need to be taken to prevent the
> virus from entering the operating system again?
I only can give you some simple tips, because I don't know you
organization, and there are standards you should keep on any machine
running on the internet.
Do not expose any service to the internet which you don't need there -
if you are behind a network firewall, only https (port 443) for DSpace
needs to be accessible from outside - no ssh, no network files systems
etc. Try a port scan from outside.
Update your OS regulary, on DSpace especially Java.
Backup - and restore ! Try the restore on a new machine an get a feeling
for that, note down the steps.
If your DSpace is also file-, mail- and print-server, there is something
really wrong - try to split that.
Find a local Linux community to get better help.
But maybe you made everything OK - this still can happen :( .
CU
Michael
Am 28.07.21 um 13:16 schrieb Maya Zbitneva:
> Good day!
>
> Michael, thank you very much for your professional consultation. It was
> real cryptominer in OS Ubuntu!
Outch.
>
> Michael, thank you very much for your professional consultation. It was
> real cryptominer in OS Ubuntu!
> I succedeed to kill it.
> But I have the question about it.
> How to find the vulnerability from which the malware got in?
in Ubuntu) but this also can produce false positives. It might also be
not the right tool…
If you have no idea, no log files or anything, IMHO:
----> Install a new machine !! <----
Make a new machine, setup (Apache / Nginx), Tomcat and after basically
running, copy the DSpace files.
Change passwords and hope nothing awful is copied to the new machine.
Keep it closed - only https and ssh, keep the logins local (no Windows
join).
> Because even if I removed the malware, it can come again using the same
> vulnerability it exploited earlier.
> Help me please, what security measures need to be taken to prevent the
> virus from entering the operating system again?
organization, and there are standards you should keep on any machine
running on the internet.
Do not expose any service to the internet which you don't need there -
if you are behind a network firewall, only https (port 443) for DSpace
needs to be accessible from outside - no ssh, no network files systems
etc. Try a port scan from outside.
Update your OS regulary, on DSpace especially Java.
Backup - and restore ! Try the restore on a new machine an get a feeling
for that, note down the steps.
If your DSpace is also file-, mail- and print-server, there is something
really wrong - try to split that.
Find a local Linux community to get better help.
But maybe you made everything OK - this still can happen :( .
CU
Michael
Maya Zbitneva
Jul 29, 2021, 7:12:19 AM7/29/21
to DSpace Technical Support
Good day!
Michael, thank you very much for your professional recommendations!
I will try to realize all of them.
> Do you have the user of the running process (ps -xau) ?
Yes, My cryptominer process was runned under "tomcat" user.
Zbitnieva Maiia,
System administrator,
Ukraine.
среда, 28 июля 2021 г. в 16:31:58 UTC+3, Michael Plate:
Alan Orth
Jul 29, 2021, 7:45:46 AM7/29/21
to Maya Zbitneva, DSpace Technical Support
Dear Maya,
It's hard to say how the Bitcoin miner got installed. Did you install OpenJDK via Ubuntu's package manager or by some other download method? In my experience, these types of things generally get into your system via bruteforce scanning of SSH, where some bot gets lucky guessing your SSH username/password, for example: admin/admin. The fact that it was running as the tomcat user is interesting, meaning either your tomcat user has SSH enabled, or something managed to exploit your Tomcat server.
Regards,
--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/56e9868b-6bf3-4496-a09a-fdf157ee0f54n%40googlegroups.com.
--
Maya Zbitneva
Jul 29, 2021, 8:54:42 AM7/29/21
to DSpace Technical Support
Alan, thank you very much for your answer. I installed Openjdk using apt. I will learn everything about SSH.
With respect.
четверг, 29 июля 2021 г. в 14:45:46 UTC+3, alan...@gmail.com:
Michael Plate
Jul 29, 2021, 9:01:05 AM7/29/21
to dspac...@googlegroups.com
Hi,
Am 29.07.21 um 13:12 schrieb Maya Zbitneva:
> Good day!
>
did you install / use the management interface of tomcat (I do not know
much about it, because I don't use it) and have you changed the
"tomcat-users.xml" ?
CU
Michael
Am 29.07.21 um 13:12 schrieb Maya Zbitneva:
> Good day!
>
> Michael, thank you very much for your professional recommendations!
> I will try to realize all of them.
>
> > Do you have the user of the running process (ps -xau) ?
>
> Yes, My cryptominer process was runned under "tomcat" user.
[…]
> I will try to realize all of them.
>
> > Do you have the user of the running process (ps -xau) ?
>
> Yes, My cryptominer process was runned under "tomcat" user.
did you install / use the management interface of tomcat (I do not know
much about it, because I don't use it) and have you changed the
"tomcat-users.xml" ?
CU
Michael
Maya Zbitneva
Jul 30, 2021, 4:59:43 AM7/30/21
to DSpace Technical Support
Good day!
> did you install / use the management interface of tomcat (I do not know
> much about it, because I don't use it) and have you changed the
> "tomcat-users.xml" ?
> much about it, because I don't use it) and have you changed the
> "tomcat-users.xml" ?
Yes, I used management interface of tomcat. I created several users in Apache Tomcat which I see in tomcat-users.xml. Have I change passwords to users from tomcat-users.xml to improve safety?
With respect,
Zbitnieva Maiia,
System administrator,
Ukraine.
четверг, 29 июля 2021 г. в 16:01:05 UTC+3, Michael Plate:
Michael Plate
Jul 30, 2021, 7:03:49 AM7/30/21
to dspac...@googlegroups.com
Hi,
Am 30.07.21 um 10:59 schrieb Maya Zbitneva:
> Good day!
>
should not be accessible from Internet.
Hopefully you do not have a the default password "tomcat" somewhere -
this could be the way of the intrusion.
CU
Michael
Am 30.07.21 um 10:59 schrieb Maya Zbitneva:
> Good day!
>
> > did you install / use the management interface of tomcat (I do not know
> > much about it, because I don't use it) and have you changed the
> > "tomcat-users.xml" ?
>
> Yes, I used management interface of tomcat. I created several users in
> Apache Tomcat which I see in tomcat-users.xml. Have I change passwords
> to users from tomcat-users.xml to improve safety?
[…]
> > much about it, because I don't use it) and have you changed the
> > "tomcat-users.xml" ?
>
> Yes, I used management interface of tomcat. I created several users in
> Apache Tomcat which I see in tomcat-users.xml. Have I change passwords
> to users from tomcat-users.xml to improve safety?
should not be accessible from Internet.
Hopefully you do not have a the default password "tomcat" somewhere -
this could be the way of the intrusion.
CU
Michael
Maya Zbitneva
Jul 30, 2021, 7:47:11 AM7/30/21
to DSpace Technical Support
> should not be accessible from Internet.
Do you mean that the management interface of tomcat should not be accessible from Internet?
пятница, 30 июля 2021 г. в 14:03:49 UTC+3, Michael Plate:
Reply all
Reply to author
Forward
0 new messages