I have a box with Ubuntu that I use to write and test scripts and nodes.
I found it was quite unresponsive and Started investigating who is taking 300% of the resources.
I did found the following process and files to be responsible for the above:
-rwxr-xr-x 1 root root 8714712 Jun 23 19:58 kperl
-rw-r--r-- 1 root root 3540510 Jul 25 15:17 kperl.tar.gz
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1614 root 20 0 358200 9168 8472 S 194.1 0.1 3:48.17 kperl
I did check who is running such process and it looks like is something associated to nodered.
:/tmp$ systemctl status $(pgrep kperl)
â—Ź nodered.service - Node-RED graphical event wiring tool
Loaded: loaded (/lib/systemd/system/nodered.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-07-25 16:07:39 CAT; 26min ago
Docs: http://nodered.org/docs/hardware/raspberrypi.html
Main PID: 709 (node-red)
Tasks: 22 (limit: 9251)
Memory: 131.7M
CGroup: /system.slice/nodered.service
├─ 709 node-red
├─1458 sh /tmp/tmp
└─1614 /tmp/kperl --no-color
Does anyone know what is about and how to stop this kperl?
Update
After disabling the nodered with systemctl and reboot, the kperl doesn't start and the box' cpu is happy again. So, looks like "kperl"it is really belong to nodered. I definitively need some help to sort this out.
Are you running node-red as root? If the answer is yes then that is almost certainly a bad idea.
Have you got any exec nodes in your flows? If so then what commands are they executing?
What extra nodes have you installed? You can look in ~/.node-red/package.json to get a list of them.
Is your node-red system accessible via the internet?
If you stop node-red does the process get killed? If not then disable node-red auto run on boot and reboot, then check the process is not there. Start node-red and see if it re-appears.
Nodered is not running as root.
No exec nodes.
At present I have only one flow with an HTTP-in node receiving messages from Sigfox backend.
I di stop and disabled nodered, rebooted and the issue disappear .
Yes. It has been exposed. I had to redirect a port to 1880 to test the HTTP-in node to receive the messages from Sigfox.
So.... it is time to wipe out such box and make a clean installation?
Unless someone else can suggest what might have been going on I would certainly be suspicious. Note that the command being run was /tmp/kperl which means that it had been temporarily constructed in /tmp rather than being a normal installed program. There are bots out in the internet looking for 1880 being open and there have been reports of people being hacked after even a short time exposed without security features. I am confused about how it could run the s/w as root though, if node-red is not running as root.
The even bigger worry for you is whether the machine might have infiltrated other systems on your local network if you have any.
Thanks for the hints. It could be. Is the only box with very low security because I use it to test my little messy codes. I will have a look at the other devices on the network but are all strongly password protected.
If it was an intrusion attempt, it was a stupid one. Doesn’t make sense to run something that burns cpu resources to get discovered in few hours.
Thanks for sharing your opinions
