background
Last year, I built a simple NAS system (based on TrueNAS) with an old laptop that the company had retired, and opened a public IP so that I could use some Docker apps
The screening process
When I went home that day, I found that my laptop was running abnormally, so I hurriedly connected SSH to check ittopTook a look at the CPU performance
I was wondering how a Python program could dry up the CPU by 200%, so I checked the program running Python using the same command I used to view Java services during development
ps -ef | grep python
Copy the codeThe result is a suspicious Python process and an external chain, IP139.99.123.196, is found in the displayed message. I didn’t think twice before killing the process. Then I typed that outbound IP in the browser address
Mining Pool Online.
Stop the process on your Linux serverTroubleshooting and Cleaning script!
Why was it embedded in a mining script
How did they log into my service and implant the mining script? Now think of the following possibilities: 1. 2. Weak user password Figure 1 shows that my user name is SL, which is a temporary non-root user configured in TrueNAS. Since I didn’t consider so much at that time, the password is also set to SL, so it is too simple, most likely this is the entrance
TrueNAS itself, or the services and Web protocols that come with it, may also be vulnerable.
conclusion
The public network is risky, so be cautious when opening it. Do not use weak passwords.
Finally, I will post my little NAS picture. I will write an article about NAS when I have time. .
