Haas_proxy CPU usage on Omnia

Skippi · October 24, 2024, 7:40pm

Process “haas_proxy” is using more 70% of CPU on my Omnia (original from Indiegogo campaign).
I tried to restart HAAS, but after some hours problem is back again:

Here are list of processes - for me strange are processes “sshpass”:
root 27185 1 28 Oct23 ? 06:10:35 python3 -m haas_proxy --pidfile=/var/run/haas-proxy.pid --nodaemon haas_proxy --log-level=warning --device-token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --port=2525 root 812 808 0 20:45 pts/0 00:00:00 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=error -p 10011 root@haas-app.nic.cz curl http://5.45.65.88/ -s -X PUT --max-redirs 5 --compressed --cookie ‘xNRNIjIUEYadnDn3’ --raw --referer ‘Ask.com - What's Your Question?’ root 808 27185 0 20:45 ? 00:00:00 sshpass -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=error -p 10011 root@haas-app.nic.cz curl http://5.45.65.88/ -s -X PUT --max-redirs 5 --compressed --cookie ‘xNRNIjIUEYadnDn3’ --raw --referer ‘Ask.com - What's Your Question?’ root 3355 27185 1 20:45 ? 00:00:00 sshpass -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=error -p 10011 root@haas-app.nic.cz curl http://5.45.65.88/ -s -X PATCH --max-redirs 5 --compressed --cookie ‘brIjUpDsKm8LGw0V’ --raw --referer ‘World of Warcraft’ root 3358 27185 1 20:45 ? 00:00:00 sshpass -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=error -p 10011 root@haas-app.nic.cz curl http://5.45.65.88/ -s -X PATCH --max-redirs 5 --compressed --cookie ‘brIjUpDsKm8LGw0V’ --raw --referer ‘World of Warcraft’ root 6874 27185 0 20:46 ? 00:00:00 sshpass -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=error -p 10011 root@haas-app.nic.cz curl http://5.45.65.88/ -s -X OPTIONS --max-redirs 5 --compressed --cookie ‘PCSC2dod5vNMCSil’ --raw --referer ‘Search | Miller Center’ root 3353 27185 1 20:45 ? 00:00:00 [sshpass] root 6869 27185 0 20:46 ? 00:00:00 [sshpass] root 6870 27185 0 20:46 ? 00:00:00 [sshpass]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is the same token as on https://haas.nic.cz/device/

After stop of “haas_proxy” CPU usage descreased from 80% to 2%:

and also temperature decreased from 80 to 60 degrees:

Is it only me, or can you see the same problem?

DIKKEHENK · October 24, 2024, 8:35pm

Nope, same here… For 2 days already.

Something’s fishy

peci1 · October 24, 2024, 9:08pm

Not happening to me, neither on HBS nor on HBT. Can’t it be that you are actually under attack?

DIKKEHENK · October 24, 2024, 9:12pm

Had to switch off haas here since i have the same syslog and process clutter.

So yes, it looks like someone found a way to tackle the haas pot?

Skippi · October 25, 2024, 4:39am

I can see a lot of sessions from 79.137.202.16 since 22.10. 16:17 at https://haas.nic.cz/device/.
It is strange, that number of connections in the list was increasing even when address 79.137.202.16 was on the current list of dynamic firewall (list checked at 24.10. morning, HAAS stopped late at the evening).
Is it possible, that list of blocked IPs from dynamic firewall is not used for HAAS connections?

DIKKEHENK · October 25, 2024, 7:13am

here it has this line repeating itself :
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: 2024-10-25T09:12:09 CRITICAL twisted Error executing command “b"curl http://5.45.65.88/ -s -X HEAD --max-redirs 5 --compressed --cookie ‘xxxxxxxxxxxxxxxx’ --raw --referer ‘https://r.search.yahoo.com/’”"
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: Traceback (most recent call last):
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: File “/usr/lib/python3.10/site-packages/twisted/conch/ssh/session.py”, line 98, in request_exec
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: File “/usr/lib/python3.10/site-packages/haas_proxy/proxy.py”, line 209, in execCommand
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: File “/usr/lib/python3.10/site-packages/twisted/internet/posixbase.py”, line 197, in spawnProcess
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: File “/usr/lib/python3.10/site-packages/twisted/internet/process.py”, line 685, in init
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: File “/usr/lib/python3.10/site-packages/twisted/internet/process.py”, line 673, in pipe
Oct 25 07:12:09 turristhuis haas-proxy-start[17853]: OSError: [Errno 24] No file descriptors available

peci1 · October 25, 2024, 7:55am

Tak s timhle by mohl pomoct reboot.

DIKKEHENK · October 25, 2024, 7:57am

Well, did a reboot twice, comes back. Already made a support ticket.

I do hope the team makes this port a part of the sentinel FW concept, instead of this separate pot.

Edit : seems to be or repaired, or over now?

DIKKEHENK · October 26, 2024, 7:21am

aaaaaaaaaaaaaaaaaaaand it’s back

DIKKEHENK · November 14, 2024, 9:19am

Just got the latest reply from support, you were right. This was not normal, and they fixed it after 4 days.
That matches with what my syslog tells me.

So good that you mentioned it here

Skippi · November 15, 2024, 7:32pm

I did not yet received any response from support, but it really seems to be fixed.
HAAS is running again on my Omnia since yesterday and no problem yet.