disk_manage.cgi hogging CPU usage

Questions about SNMP, Power, System, Logs, disk, & RAID.
esper
Starting out
Posts: 21
Joined: Fri Feb 19, 2016 8:45 am

disk_manage.cgi hogging CPU usage

Postby esper » Tue Apr 18, 2017 10:53 pm

The last couple of days some of the apps (speficially Plex) has been running slower than usual on my QNAP TS-253A. I noticed that my CPU usage looks high - and is even spiking on occasion. After researching, it looks like "disk_manage.cgi" is always taking up at least 50% of the usage. What is this? Why is it taking up so much CPU space? Same issue after restart. Any help would be appreciated.

PID USER STATUS RSS PPID %CPU %MEM COMMAND
25079 admin S 16M 1 49.5 0.2 disk_manage.cgi
12201 admin S 18M 1 0.1 0.2 gmetad-python
3559 admin S 5636 1 0.1 0.0 hal_daemon
12358 admin R 1944 11592 0.1 0.0 top
19883 admin S 117M 1 0.0 1.4 mono
19752 admin S 110M 1 0.0 1.3 mono
19720 admin S 107M 19716 0.0 1.3 mono
16659 admin S 62M 1 0.0 0.7 mongod
19697 admin S 58M 1 0.0 0.7 Plex Media Serv
14119 admin S 49M 13738 0.0 0.6 mysqld
8820 admin S 48M 8476 0.0 0.6 mysqld
19864 admin S N 32M 19697 0.0 0.4 Plex Script Hos
20495 admin S 30M 19697 0.0 0.3 Plex Script Hos
22595 admin S 22M 1 0.0 0.2 python
24587 admin S 22M 1 0.0 0.2 qwatchdogd
20239 admin S 22M 19697 0.0 0.2 Plex DLNA Serve
16470 admin S 22M 1 0.0 0.2 transmission-da
17463 admin S 18M 1 0.0 0.2 gmond_agent
10316 admin S 17M 10314 0.0 0.2 mytranscodesvr

User avatar
Trexx
Experience counts
Posts: 1801
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota
Contact:

Re: disk_manage.cgi hogging CPU usage

Postby Trexx » Tue Apr 18, 2017 11:00 pm

Need more information - QTS version & Build to start with.
Paul

Model: TVS-673 32GB FW: 4.3.3.0188 Build: 20170516
Disks: [RAID-5] 6 x 3TB HGST DeskStar NAS SSD Cache: [RAID-1] 2 x 525GB Crucial MX300 m.2's
UPS: CyberPower AVR1350 Ext. Backup: USB 3.0 Seagate 5TB
Media Boxes: Nvidia ShieldTV Pro (4K), AppleTV 4
-----------------------------------------------------------------------------------------------------------------------------------------
Model: TS-453 Pro 16GB FW: 4.3.x (varies)

Father Mande's Kodi 17.3
Information needed when you ask for HELP
| QNAP Links, Tutorials, etc. |Moogle's QNAP Faq | Plex NAS Compatibility Guide | QNAP Plex FAQ

esper
Starting out
Posts: 21
Joined: Fri Feb 19, 2016 8:45 am

Re: disk_manage.cgi hogging CPU usage

Postby esper » Wed Apr 19, 2017 12:50 am

My apologies.

4.2.5 build 20170413

wtsai
First post
Posts: 1
Joined: Wed Apr 19, 2017 11:02 pm

Re: disk_manage.cgi hogging CPU usage

Postby wtsai » Wed Apr 19, 2017 11:07 pm

Question for you. Do you find any file called "disk_manage.cgi" under /mnt/HDA_ROOT ?? Also, ssh to your server, perform a process list command "ps -ef", what do you find with disk_manage.cgi?

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 1:00 am

I am having the same issue. In SSH there is a file called disk_manage.cgi in /HDA_ROOT/

Additionally the printout in full is /mnt/HDA_ROOT/disk_manage.cgi -a cryptonight -t 2 -b

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 1:37 am

I killed the process in SSH and the CPU usage dropped to >1%. What on earth is that and how to I remove it permanently?

dolbyman
Ask me anything
Posts: 5163
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Postby dolbyman » Thu Apr 20, 2017 1:48 am

is your NAS exposed to the internet ?

maybe your device was hacked and is used as a miner

https://en.bitcoin.it/wiki/CryptoNight



or do you have any encrypted folders/volumes on your NAS (in case QNAP named the crypt process the same)
Last edited by dolbyman on Thu Apr 20, 2017 1:50 am, edited 1 time in total.

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 1:50 am

Is this a full wipe or can I kill the miner?

dolbyman
Ask me anything
Posts: 5163
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Postby dolbyman » Thu Apr 20, 2017 1:51 am

I would contact QNAP first .. maybe it's a legitimate process

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 1:52 am

It is a miner for sure, second ps -ef even shows the dump to stratum+tcp://pool.minexmr.com:4444

dolbyman
Ask me anything
Posts: 5163
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Postby dolbyman » Thu Apr 20, 2017 2:03 am

I would do a full reset (including autostart.sh, that is persistent on flash memory in the NAS) you never know what backdoors have been installed

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 4:00 am

Is Method 1 located here: https://www.qnap.com/en/support/con_show.php?cid=74 sufficient to clear the autostart.sh?

dolbyman
Ask me anything
Posts: 5163
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Postby dolbyman » Thu Apr 20, 2017 4:44 am

that method should be sufficient

Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Postby Dormont » Thu Apr 20, 2017 4:54 am

As a follow up so that no one has to waste half a day looking this up if they are trying to find out if the autostart.sh has been compromised first SSH into your NAS then put in the MTD-based method for <LINE 1>. The other lines are to output. Assuming you did not change your autostart.sh yourself, you should get an output of "/tmp/config/autorun.sh: No such file or directory"

<LINE 1>
ls -alF /tmp/config
cat /tmp/config/autorun.sh
umount /tmp/config

The MTD based method is located here and is model-specific: https://wiki.qnap.com/wiki/Running_Your ... at_Startup

Thank you, everyone, for your help & especially dolbyman.

JarnoVanDerLinden
New here
Posts: 7
Joined: Sat Nov 26, 2016 11:44 am

Re: disk_manage.cgi hogging CPU usage

Postby JarnoVanDerLinden » Fri Apr 21, 2017 8:18 am

I'm having the same issue. Looks like the disk_manage.cgi got started within the last 24 hours.
There is no autorun.sh present.
I'm fairly sure the admin password was not guessed.
TS-251A, 4.2.2 Build 20161214
I think there is an exploit somewhere.

I also just noticed that along with the disk_manage.cgi come qwatchdogd, rcu_shed and rcu_shed.json files in HDA_ROOT.

Further digging, crontab has gained an entry:
*/3 * * * * /mnt/ext/opt/apache/bin/php /mnt/HDA_ROOT/rcu_shed


Return to “System & Disk Volume Management”

Who is online

Users browsing this forum: Bing [Bot] and 3 guests