JavaUpdate: Out of memory: Killed process xxxxxx (JavaUpdate)

General
1

I’ve noticed that on one of our GitLab dedicated servers we have a process that is continually killed in this manner:

[133352.690471] Out of memory: Killed process 322523 (JavaUpdate) total-vm:2592964kB, anon-rss:1234480kB, file-rss:0kB, 0
[134915.125189] Out of memory: Killed process 326228 (JavaUpdate) total-vm:2592964kB, anon-rss:1225240kB, file-rss:0kB, 0
[136482.693904] Out of memory: Killed process 329886 (JavaUpdate) total-vm:2592964kB, anon-rss:1483172kB, file-rss:0kB, 0
[138044.659131] Out of memory: Killed process 333693 (JavaUpdate) total-vm:2592964kB, anon-rss:1335328kB, file-rss:0kB, 0
[139607.956198] Out of memory: Killed process 337348 (JavaUpdate) total-vm:2592964kB, anon-rss:1294408kB, file-rss:0kB, 0
[141169.571878] Out of memory: Killed process 341004 (JavaUpdate) total-vm:2592964kB, anon-rss:1247420kB, file-rss:0kB, 0
[142732.496049] Out of memory: Killed process 344652 (JavaUpdate) total-vm:2592964kB, anon-rss:1243192kB, file-rss:0kB, 0
[144296.258323] Out of memory: Killed process 348345 (JavaUpdate) total-vm:2592964kB, anon-rss:1228940kB, file-rss:0kB, 0
[145859.488904] Out of memory: Killed process 351991 (JavaUpdate) total-vm:2592964kB, anon-rss:1208612kB, file-rss:0kB, 0

This lead me to find this binary at: /var/tmp/.Javadoc/JavaUpdate

Is this a legitimately installed file by and for GitLab? If so, I’m curious about why Java would be trying to update for what could/should be a static installation of Java.

If not, we have no history of anyone installing Java on this server and using it (it’s not even in the Linux package list) and so this is a bit peculiar.

2

Could well be a process pretending to be java, when it’s a crypto miner, check you are not on an old and vulnerable version of gitlab.

That process has nothing to do with Gitlab, so it looks like your server is compromised. See these posts:

1 Like