Hacked TrueNas? Crypto mining on all CPU cores.

[Snow]

Loged in to my primary NAS to see it ruining at 100%, this is not normal. I started to dig and after ruining top and ps aux in the GUI shell. I found some strange stuff going on. I've never installed or operated any cryptocurrency mining software on my Turenas.
I found some user that I did not create in top. the user was running Java as user 333. ps aux showed Crypto Returns for ever one on my 24 cpus cores. Also Some other strange stuff like a remote mouse and other stuff post in screen shots below. I also include a debug file.

Any and all advice is welcome. Do I need to go scorched earth policy on my nas? just wipe the system and disks or will a config reinstall wipe the access? I still have the problem of how they got on the system. Am I just being paranoid? Should I contact law enforcement ?

 

[Samuel Tai]

Unless you've exposed your TrueNAS system directly to the Internet, I don't think you've been hacked. The [Crypto returns x] processes are kernel lines associated with crypto processing, and not specific to any user. The question is why you'd suddenly get a surge of crypto processes. Did you recently create an encrypted pool or dataset? The mouse processes are normal parts of the OS. Can you provide details of the UID 333 and the Java process?

I also deleted the debug you attached; please don't attach them in public, but only in PMs.

 

[Snow]

Has not show up in top or ps aux, after ruining a debug. The 1st and 2nd debugs I ran failed with no Errors. Why would there be Crypto processes ruining on all cores? is this normal? I guess I just assumed it was mining. is there user/Password data in a debug?

 

[Samuel Tai]

Yes, a debug contains the database, which has user account info. As for crypto, that depends on the specific CPU, but Intel CPUs with AES-NI support typically try to spread the load to all cores for crypto processing. Were you replicating an encrypted dataset, or doing anything with crypto?

 

[Snow]

Nope I do not use any crypto on any kind on the disks. But the user that was using java I've never seen before. Also I do not have a user or group that use 333. I looked and did not see a built in one ether? I was not doing any thing with any datasets or replication ether.

 

[Samuel Tai]

Do you have any jails or plugins running? Those accounts show up in the main ps -aux as well. On my system with a 4-core Hyper-Threading AES-NI Xeon, I see [crypto return <core ID>] for all cores, with 0 usage, like your screen shots above. So this just looks like kernel accounting for AES-NI threads, and not active running crypto jobs.

 

[Snow]

Yes I do, I looked at my other nas and it was there as well. The only thing that has me questioning that some thing is off was the user 333 and it ruining as java. I have Plex, Medusa, Transmission, SAB-NZBD, Home Assistant, MQTT, Node RED & Tasmoadmin. No VM's

 

[Patrick M. Hausen]

Try ps awwux | grep java and you might see what these processes are doing.
grep 333 /mnt/<poolname>/iocage/jails/*/root/etc/passwd might find that ominous user account.

 

[Snow]

 

[Snow]

What do you think? is there a command to see past users?