Process ‘wanwakuang` with high process load

I noticed today that my server was very slow. Looking at the running processes, I noted that process wanwakuang and 000000 were going crazy.

process wanwakuang caused the load to go very high

Searching wanwakuang on Google did not yield much results, but this article on HackerNews was very helpful: https://translate.google.com/translate?sl=auto&tl=en&u=http://hackernews.cc/archives/34789

Appearently wanwakuang is a mining process.

However, I could not find the binary on my system. My server is only running Docker containers, so probably one of the containers was at fault.

To find the docker container with the exploit, I executed the command:

$ find /var/lib/docker -type f -name wanwakuang
/var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/diff/root/.configrc/a/wanwakuang
/var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/diff/tmp/.W10-unix/.rsync/a/wanwakuang
/var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/merged/root/.configrc/a/wanwakuang
/var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/merged/tmp/.W10-unix/.rsync/a/wanwakuang

To find out which Docker container was attached to this overlay, I issued this command I found on stackoverflow:

$ docker inspect $(docker ps -qa) \
  | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) \
  | .[] | "(.[0])\t(.[1])"' \
  | grep '1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf'

Knowing the name I could terminate the container. It was being used for SSH and could be removed.

Click Here to Leave a Comment Below

Leave a Reply: