Crypto mining trojan (not)

daniel.m.tripp · May 27, 2024, 2:45am

Anyone ever noticed some dodgy looking process eating CPU? e.g. in top or htop or bashtop? I’m running Pop!_OS - but - I’ve seen this before on Ubuntu 20, or 22 or something, maybe even Fedora 36/37 (Gnome).

“tracker-miner-fs”?

It’s VERY badly named - it looks like it could be some crypto miner or something - anyway - I don’t need it - or want it…

It’s not a trojan, and it’s not crypto-mining - all it does is some kinda shonky indexing for the gnome file manager to be able to search files “faster”…

I DON’T USE GNOME to search for files - I use a terminal and find command…

So I wrote a shell script : ~/bin/fkov :

╭─x@titan ~/bin  ‹main*› 
╰─➤  bat fkov
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: fkov
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ #!/usr/bin/env bash
   2   │ # FCK OFF TRACKER-MINER BULLSH!T - looks like spyware???
   3   │ #
   4   │ SVC="tracker-miner-fs-3.service"
   5   │ systemctl --user stop $SVC
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Why it should be eating the highest number of CPU cycles in my process tree - I’ll NEVER know - nor will I care in future… If I see that bugger eating them - I’ll kill it with “fkov”.

I guess I could disable it… But I so rarely reboot - I’ll leave it like that for the time being…

BTW - you cannot simply remove it - because the WHOLE GNOME desktop expects it to be there - e.g. “sudo apt remove tracker-miner-fs” fails 'cause of dependancies - and a “sudo apt purge tracker-miner-fs” would probably KILL the whole Gnome DE I’d imagine…

Damn - even the above didn’t work - there was still a PID /usr/libexec/tracker-miner-fs-3! so :

╭─x@titan ~/bin  ‹main*› 
╰─➤  bat fkov
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: fkov
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ #!/usr/bin/env bash
   2   │ # FCK OFF TRACKER-MINER BULLSH!T - looks like spyware???
   3   │ #
   4   │ SVC="tracker-miner-fs-3.service"
   5   │ systemctl --user stop $SVC
   6   │ # it might still be running - so gotta track it down and MURDER it to death : 
   7   │ PROC="tracker-miner"
   8   │ KILLPID=$(ps -ef |grep $PROC |grep -v grep|awk '{print $2}')
   9   │ if [ ! -z $KILLPID ] ; then 
  10   │     kill -9 $KILLPID
  11   │ fi
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

(note the PID I found was owned by “me” so no need for “sudo kill …”)

nevj · May 27, 2024, 3:59am

If systemd is like s6 it will restart a daemon if you kill it . Its called Process Supervision, but I would call it blatent interference.
On the other hand, stop should work… if it doesnt there must be some dependency that insists it be there.
How about writing your own version of tracker-miner-fs that does nothing, and substitute it for the real binary, like a trojan horse.?

kovacslt · May 27, 2024, 6:25am

apt search tracker-miner-fs
Rendezés... Kész
Keresés a teljes szövegben... Kész
tracker-miner-fs/stable 3.4.3-1 amd64
  metadata database, indexer and search tool - filesystem indexer

It says it’s some indexing of your files so you can find them more easily with some search tool?

I don’t have it installed, so don’t know, but maybe you could try to purge that package.
Having it not installed is probably somewhat better than killing its process all the time…

daniel.m.tripp · May 27, 2024, 9:25am

“purge” result could be drastic and unknown… it could potentially remove a bunch of other stuff and kill the desktop… I’ve seen things like this happen before :

╭─x@titan ~  
╰─➤  sudo apt remove tracker-miner-fs 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 pop-desktop : PreDepends: pop-de-gnome but it is not going to be installed

My “pop-desktop” is dependancy…

kovacslt · May 27, 2024, 11:35am

Oh, yes, then it’s a Gnome dependency.
(I’m on KDE now)
Then purge is not an option…
Probably it’s a systemd user service, so if you kill it, systemd respawns - I believe…
There must be a way to disable it.

pdecker · May 28, 2024, 4:36pm

Windows has a similar situation where a process seems to consume a lot of CPU. But the indexing service (not sure of the name) can be disabled.

I wonder if you could change this tracker-miner-fs service to be disabled. That way it’s still installed but doesn’t start.

nevj · May 28, 2024, 6:10pm

Make a trojan horse. Trick it into starting something else. That will satisfy the
dependencies.

daniel.m.tripp · July 1, 2024, 12:35pm

What a truly STEENKING pile of crap that “tracker-miner” garbage is!

Something was eating all my bash (zsh) completion stuff - taking like 30 seconds to “cd” into a dir et cetera…

So I checked - sure enough - track-miner bullshit is STILL running after two reboots and me disabling it in systemd - and eating away at several cores worth of compute!

Soon as I killed the f–ker - my shell behaviour and response returned to normal - so us shell / terminal / keyboard commando users have to pay a performance price so that GUI “clickety click click” only users can search for shit in nautilus a tad faster? Is it, or was it, worth it?