In the previous blog of this series, we saw how server crashes can be avoided by detecting low disk space in time using logs. In this blog, we’ll talk about another server metric, disk usage, and how it can be linked to cryptojacking.
Unlike the percentage of used disk space, disk usage refers to the percentage of the maximum speed (measured in kB/sec) at which the data transfer takes place between the hard disk drive and RAM.
On average, disk usage on servers remains under 10 to 20 percent, but it may occasionally shoot up to 100 percent during heavy processing. Prolonged periods of 100 percent disk usage can result in errors that cause performance issues such as slow processing, freezing of applications, or the system becoming unresponsive.
Usually, high disk usage during heavy processing is simply due to multiple tasks running at once—initiation of backups, virus scans, and so on. However, it may also occur when your server is infected with cryptojacking malware.
Cryptojacking and how it affects you
Cryptojacking is an illegal form of cryptomining that uses a computer’s resources to mine cryptocurrency in an unauthorized way.
A popular way of carrying out cryptojacking is by deploying malware that has cryptomining payloads. This malware finds its way into your system through phishing emails. Once installed, it spreads laterally to other systems by exploiting vulnerabilities in your network, resulting in unauthorized use of your organization’s resources. This way, the attackers quietly earn money at your expense.
Cryptojacking can be extremely cumbersome on your systems. It not only results in huge electricity costs, but also wears down hard disks, resulting in hardware errors and reduced lifetimes.
Crytopjacking attacks are designed to stay hidden. Keeping an eye on high disk usage is possibly the only way to detect them before it causes damage.
Watch out for high disk usage using EventLog Analyzer
Though disk usage is a server metric, high disk usage can be identified through logs. Multiple entries of event ID 129 or event ID 153 in a short span of time usually indicates 100 percent disk usage. You can also keep an eye out for excessive logging of other disk-related errors. Timely alerting keeps your sysadmins up to date on any suspicious activity. The sooner suspicious activity is detected, the lower the chances of suffering damage.
ManageEngine Event Log Analyzer, a comprehensive log management solution that extensively audits server logs in your network and can help detect high disk usage. With an elaborate alerting feature that includes custom alerts, you can create your own alert profiles for any event and be notified in real time by email and SMS. Set up alerts for disk errors, and don’t miss any critical indicators of compromise in your network.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: