Miner Virus Risk? (probably unrelated, but everyone please report if you also got it)

Question

Miner Virus Risk? (probably unrelated, but everyone please report if you also got it)

rachel-sunrui opened this issue 3 years ago · 11 comments

Hi,

After I installed the package, a malicious process appeared on the system. It is running 100% on all GPUs and will restart after I killed it. I am wondering if other people have mention this to you, especially after your recent update ?

Thank you.

Answer 1 · 2022-02-09T15:41:32.000Z

That's weird... How did you install it? Using pip?

Answer 2 · 2022-02-09T15:43:45.000Z

especially after your recent update

What update do you mean? There hasn't been any source update since August '21 and no Pypi release since May '21.

Answer 3 · 2022-02-09T15:55:17.000Z

Thanks for your quick response. Yes. pip3 install nvidia-htop

I just wanna double check if you heard anyone having the same issue recently. I know nothing about these miner processes. I honestly have no idea why this is happening. I noticed this systemmd (double m, not systemd) running on root about 5 mins after I ran pip install. I am just trying to gather more information here.

Answer 4 · 2022-02-09T15:57:53.000Z

No, you're the first one reporting this issue. As there hasn't been any update of this package for almost a year, it is not probable that the package itself would be the source of problems. I see much more probable your pip got hacked.

What's the output of which pip3 (or sudo which pip3 if you installed with sudo)?

Answer 5 · 2022-02-09T16:07:27.000Z

The normal

/usr/local/anaconda3/bin/pip3

I did not use sudo.

Answer 6 · 2022-02-09T16:13:18.000Z

That looks ok (unless some virus changed the contents of that file).

There is a similar report from 1 year ago: https://www.reddit.com/r/Ubuntu/comments/k6vmg7/systemmd_process_using_cuda_and_4gb_of_gpu_memory/ . Can you also try to figure out where is the systemmd file located and who launches it?

Answer 7 · 2022-02-09T16:18:07.000Z

Please also try running:

pip3 install --download-cache="/tmp/download" nvidia-htop

and compare hashes of the downloaded files with those from https://pypi.org/project/nvidia-htop/#files .

Answer 8 · 2022-02-09T16:20:43.000Z

Also, the only dependency this program has is termcolor, which had its last release in 2011. termcolor itself has no dependencies. So it should also not be possible that one of the dependencies got hijacked.

Answer 9 · 2022-02-09T16:25:03.000Z

I also found the reddit post. (and another post posted by the same person.) Those suggestions did not help.

Thank you for all the suggestions. I will look into those. Thank you for your time and help. I do not think this is related to nvidia-htop either. (thx for the wonderful tool, btw) I will see if I can find someone who knows more about these kinds of miner processes, and I will let you know if I have any related updates.

Answer 10 · 2022-02-09T16:26:53.000Z

Okay. Let me know if you find something related. I'll leave this issue open for one more month so that people can see it, and if nobody else joins the discussion, I'll close it afterwards.

Answer 11 · 2022-03-09T10:28:48.000Z

I'm closing this issue. Feel free to drop a comment if you get any new insights.