TLDR: perfctl is a crypto mining and proxy jacking malware that exploits about 20’000 common missconfigurations to install itself on Linux servers. Mostly using a 10/10 CVE on Apache RocketMQ.

It is very persistent and can reinstall itself even when you have deleted all the perfctl and perfcc files. It hides itself by removing logs, network packets, and stopping all activity once you login to the machine.

Monitoring cpu usage using tools (I use net data on my server) can help identify infections (100% cpu usage when « idle »).

  • DigitalDilemma
    link
    fedilink
    English
    21 month ago

    Surely y’all have monitoring and alerts for excessive cpu load already?

    • SuperFolaOP
      link
      fedilink
      English
      21 month ago

      On my own server at home, yes. Because that’s important for me to know what’s going on and not discover something by chance weeks later.