Process gitlab named: kthzabor is using 90% of CPU

@iwalker Ah got it, I was under the impression that Ubuntu 16.04 LTS would mean long term support but just realized that LTS’s can also have an end date :sweat_smile:

I will schedule a day to upgrade to 18.04, thanks once again!

Yes, LTS are to 5 years. 16.04 is April 2016, so the five years passed :slight_smile:

Just be careful when doing the upgrade, I’ve had occurrences when using do-release-upgrade that it removed packages that were installed outside of the Ubuntu repos. You might be safe, but you have to make sure in the list of packages being removed that gitlab-ce or gitlab-ee isn’t one of them. You can get around this however by using the standard upgrade methods for Debian, which is basically edit /etc/apt/sources.list to replace xenial with bionic. Then you would just do:

apt-get clean all
apt-get update
apt-get upgrade
apt-get update
apt-get upgrade
apt-get dist-upgrade

yes, on purpose there are a couple of commands repeated, as sometimes after the first apt-get upgrade, I’ve had times I refresh the repository and have to run it again as some other packages became available. After this the dist-upgrade gets you fully upgraded. Then reboot, and you are just left with a small cleanup so:

apt-get autoremove

that should pretty much do it. But try the do-release-upgrade option first as this will probably clean up old packages better since the other method some can get left behind for Xenial which then requires finding them and manually removing them.

1 Like

Same issue and a proccess. Updated to latest version - proccess disappeared. Also, I’ve removed suspicious accounts. But there is no certainty that the system is clean of viruses.

I will recreate a new instance with data transfer. Which is better to prevent malicious files from migrating to the new system: via backup or export/import?
What are the general consequences of this vulnerability? Leaked account logins passwords, leaked repositories? Can infected code be in the repositories?
What other actions are required besides changing passwords?

1 Like

@iwalker Ah got it, I’m new to server stuff but learning every day, Thank you so much for the clear steps, I will follow the order when upgrading.

@wow That sounds like a safer way, at least we can be sure that the script is not hidden somewhere else in the system. Those are some good questions to know the extent of the attack hope someone can post in-depth details.

We just take the docker image and by means of that a restart of the container gets rid of spooky processes.