Hi,
I dont know if iam in the right place but I wanted some information regarding gitlab running services. I just want to ask if someone already or know something about “girmx”? When I run top in my server i see this which is consuming my CPU. Is girmx part of gitlab?
Thanks in advance!!!
I don’t think so, there is no reference to such a thing in the whole Gitlab group: https://gitlab.com/search?utf8=✓&search=girmx&group_id=9970&project_id=&snippets=false&repository_ref=&nav_source=navbar (and I don’t find anything on the web as well)
Can you try to understand where is the executable located, running which girmx?
Hi,
Thanks for your reply. I tried running which girmx but nothing show as result. I will try some command maybe I can trace where it hides.
I found it…its a CPU miner and it hides in my git-data directory.
I also see xmrig-6.3.3 in the same directory its an open source cpu miner also.
Unless you put them there, it could mean it got dropped there from somewhere (eg: dodgy website) and is mining for someone else using your CPU/GPU. If that’s the case, you’ll want to delete these so that they don’t end up running again. There have been cases before where websites have dropped miners on peoples computers to mine in the background. Although a CPU miner isn’t going to earn much very quickly it’s still a nuisance considering the CPU usage. And more so if it decided to use your GPU as it can mine more and quicker but will affect your graphics card.
Thanks for the info. I have deleted it but it came back again. How can I search for some kind of trigger that sending it back again to my server?
Could be difficult. It depends if your server is headless (without a desktop), or whether it has a desktop environment installed and running. But I expect if it’s without a running desktop, then there is a process on your machine which is running and downloading it when deleted. If there is a desktop environment, then it would be an infected web browser, which is downloading it in the background.
You can try installing the chkrootkit or rkhunter packages, and run these to see if it will find any type of issues, but they might not find it. You will have to check the running process list and filter out known processes and see if there is anything else suspicious running other than the girmx process. If running a desktop environment, depending on whatever it is, I would stop the display manager so that the desktop is no longer running, check/verify running processes for anything suspicious, then remove girmx again, and see if it returns.
That’s all I can really suggest at the moment but if it keeps coming back and you cannot find what is causing it, your only real way forward is to backup your gitlab installation, and then clean install your server from scratch and install gitlab again and restore your data related to gitlab. If the rootkit scanning packages find anything, that could help make it easier, but it might not find anything. Usually these are best to be installed before a machine is infected, as it has a database of the packages/processes installed and running to verify against.
Thank you so much! I guess my only option now is to do a clean install.
Thank you again and keep safe!
I’ve come across the same unauthorized installation. Have you been able to find a source?
I think I’ve found a source and method of compromise. Do you see a user named johnyj12345 with one or more issues and your secrets.yml file attached?
Additionally, did the miner appear only after a reboot?
Yes, we had a girmx process and user johnyj12345 too. It registered on Jul 11, 2020 12:29pm.
Hi Everyone,
Is there any fix to this? Having the same issue as well.
Anyone have any idea on how I can block this?
Hi, in my case i find girmx file and xmrig-6.3.3 folder in /var/opt/gitlab/git-data, i try to delete both the file and the folder, but after a while they reappeared. Then I chose to logg in with root access and remove the file and folder permissions recursively. Restarting the instance is very important and voila, that worked for me. Remember to kill the girmx process before starting this process. I did not find any strange user like johnyj12345
Hi, I tried deleting those files using the root user however, it keeps on coming after a day.
Any idea on how to permanently remove this?
