disk_manage.cgi hogging CPU usage

Questions about SNMP, Power, System, Logs, disk, & RAID.
esper
Starting out
Posts: 22
Joined: Fri Feb 19, 2016 8:45 am

disk_manage.cgi hogging CPU usage

Post by esper »

The last couple of days some of the apps (speficially Plex) has been running slower than usual on my QNAP TS-253A. I noticed that my CPU usage looks high - and is even spiking on occasion. After researching, it looks like "disk_manage.cgi" is always taking up at least 50% of the usage. What is this? Why is it taking up so much CPU space? Same issue after restart. Any help would be appreciated.

PID USER STATUS RSS PPID %CPU %MEM COMMAND
25079 admin S 16M 1 49.5 0.2 disk_manage.cgi
12201 admin S 18M 1 0.1 0.2 gmetad-python
3559 admin S 5636 1 0.1 0.0 hal_daemon
12358 admin R 1944 11592 0.1 0.0 top
19883 admin S 117M 1 0.0 1.4 mono
19752 admin S 110M 1 0.0 1.3 mono
19720 admin S 107M 19716 0.0 1.3 mono
16659 admin S 62M 1 0.0 0.7 mongod
19697 admin S 58M 1 0.0 0.7 Plex Media Serv
14119 admin S 49M 13738 0.0 0.6 mysqld
8820 admin S 48M 8476 0.0 0.6 mysqld
19864 admin S N 32M 19697 0.0 0.4 Plex Script Hos
20495 admin S 30M 19697 0.0 0.3 Plex Script Hos
22595 admin S 22M 1 0.0 0.2 python
24587 admin S 22M 1 0.0 0.2 qwatchdogd
20239 admin S 22M 19697 0.0 0.2 Plex DLNA Serve
16470 admin S 22M 1 0.0 0.2 transmission-da
17463 admin S 18M 1 0.0 0.2 gmond_agent
10316 admin S 17M 10314 0.0 0.2 mytranscodesvr
User avatar
Trexx
Ask me anything
Posts: 5393
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota

Re: disk_manage.cgi hogging CPU usage

Post by Trexx »

Need more information - QTS version & Build to start with.
Paul

Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350

Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
esper
Starting out
Posts: 22
Joined: Fri Feb 19, 2016 8:45 am

Re: disk_manage.cgi hogging CPU usage

Post by esper »

My apologies.

4.2.5 build 20170413
wtsai
First post
Posts: 1
Joined: Wed Apr 19, 2017 11:02 pm

Re: disk_manage.cgi hogging CPU usage

Post by wtsai »

Question for you. Do you find any file called "disk_manage.cgi" under /mnt/HDA_ROOT ?? Also, ssh to your server, perform a process list command "ps -ef", what do you find with disk_manage.cgi?
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

I am having the same issue. In SSH there is a file called disk_manage.cgi in /HDA_ROOT/

Additionally the printout in full is /mnt/HDA_ROOT/disk_manage.cgi -a cryptonight -t 2 -b
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

I killed the process in SSH and the CPU usage dropped to >1%. What on earth is that and how to I remove it permanently?
User avatar
dolbyman
Guru
Posts: 35029
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Post by dolbyman »

is your NAS exposed to the internet ?

maybe your device was hacked and is used as a miner

https://en.bitcoin.it/wiki/CryptoNight



or do you have any encrypted folders/volumes on your NAS (in case QNAP named the crypt process the same)
Last edited by dolbyman on Thu Apr 20, 2017 1:50 am, edited 1 time in total.
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

Is this a full wipe or can I kill the miner?
User avatar
dolbyman
Guru
Posts: 35029
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Post by dolbyman »

I would contact QNAP first .. maybe it's a legitimate process
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

It is a miner for sure, second ps -ef even shows the dump to stratum+tcp://pool.minexmr.com:4444
User avatar
dolbyman
Guru
Posts: 35029
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Post by dolbyman »

I would do a full reset (including autostart.sh, that is persistent on flash memory in the NAS) you never know what backdoors have been installed
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

Is Method 1 located here: https://www.qnap.com/en/support/con_show.php?cid=74 sufficient to clear the autostart.sh?
User avatar
dolbyman
Guru
Posts: 35029
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disk_manage.cgi hogging CPU usage

Post by dolbyman »

that method should be sufficient
Dormont
New here
Posts: 6
Joined: Thu Apr 20, 2017 12:56 am

Re: disk_manage.cgi hogging CPU usage

Post by Dormont »

As a follow up so that no one has to waste half a day looking this up if they are trying to find out if the autostart.sh has been compromised first SSH into your NAS then put in the MTD-based method for <LINE 1>. The other lines are to output. Assuming you did not change your autostart.sh yourself, you should get an output of "/tmp/config/autorun.sh: No such file or directory"

<LINE 1>
ls -alF /tmp/config
cat /tmp/config/autorun.sh
umount /tmp/config

The MTD based method is located here and is model-specific: https://wiki.qnap.com/wiki/Running_Your ... at_Startup

Thank you, everyone, for your help & especially dolbyman.
JarnoVanDerLinden
Starting out
Posts: 10
Joined: Sat Nov 26, 2016 11:44 am

Re: disk_manage.cgi hogging CPU usage

Post by JarnoVanDerLinden »

I'm having the same issue. Looks like the disk_manage.cgi got started within the last 24 hours.
There is no autorun.sh present.
I'm fairly sure the admin password was not guessed.
TS-251A, 4.2.2 Build 20161214
I think there is an exploit somewhere.

I also just noticed that along with the disk_manage.cgi come qwatchdogd, rcu_shed and rcu_shed.json files in HDA_ROOT.

Further digging, crontab has gained an entry:
*/3 * * * * /mnt/ext/opt/apache/bin/php /mnt/HDA_ROOT/rcu_shed
Locked

Return to “System & Disk Volume Management”