This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vinodhini
Participant
‎2020-07-22 06:07 AM

"obamal" process consumes High CPU 100% in Mgmt server R80.20 with latest JHF

Dear All,

 

I have customer Mgmt server 80.20 with latest JHF.

In "top" command - could see "obamal" process taking 100% High CPU. SO unable to open SmartConsole.

The appliance rebooted a day before only, still no luck. Unable to get what this process is about. no much details in messages file also.

 

Attached screenshot. Can anyone give shed some info on this please....

 

 

Regards, Vinodhini

Preview file
164 KB
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-07-24 01:03 PM

I've never seen that process before and there's not even anything in SK about it.
Recommend a TAC case.

0 Kudos
John_Fleming
Advisor
‎2020-07-24 01:13 PM

Its a bitcoin miner mangs.. its not obamal its obama1. Explains the high cpu and memory usage.

Welcome to being owned. Proceed directly to pant pooping and give the IR line a call.

 

https://www.checkpoint.com/support-services/threatcloud-incident-response/

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2020-07-24 04:48 PM

After seeing John's post I initially thought he was answering in jest, but after some quick poking around on one of my lab systems it looks like he is not.

There is no legitimate process or program with anything approaching that name included in R80.20, so the process shouldn't be there.  Perhaps it is part of some kind of Threat Prevention update that my lab system does not have (hence the "mal" part of the name) but the question of how the program got onto that system needs to be answered, specifically as to whether it was placed there by an authorized user or an unauthorized one.  Good luck.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
John_Fleming
Advisor
‎2020-07-24 06:17 PM
In response to Timothy_Hall

My post was %100 was not in jest to be clear. Call the IR team as I said. Best case i'm completely wrong and IR team is like "thanks for wasting our time". Worst case you have an amazing team starting an IR process for you with a skill set you most likely can not bring. Checkpoint is here to help secure your everything.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-24 10:08 PM
In response to John_Fleming

100% in agreement here, best to get IRT involved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events