I set up a Unifi Hosted Controller server with Vultr. Started out with the smallest Core which worked great up to about 8 sites. At that point anytime I would add another site it was like the server would disconnect and then reconnect with all the sites. So I posted about this and was advised to upgrade the server to a better core. It worked great. As soon as I did that everything was running awesome. Now the server is up to about 28 sites. Recently I went to add another site and noticed it was sluggish again. I went to check the usage graphs on the Vultr site and my CPU was at like 200%. I thought that can’t be good. So I updated to the next size server Core. 220% now. So I updated to the next size core, currently running a 4 vCore, 8192 RAM, and 160GB SSD. I’m thinking this should be more than sufficient. Then today I thought maybe I should update to the latest Controller software and maybe that would fix the issue. Now the server CPU is at 409%. Anyone have any ideas. I’ve set all my sites up to report back to a FQDN so I guess my next step would be to trash this server and start over. Currently updated to the 6.5.55 Controller software. Appreciate any advice.
Something seems wrong. Is someone running a crypto miner on that? I’m running about that many sites and my instance is:
CPU:1 vCore
RAM:2048 MB
Storage:55 GB SSD
Bandwidth:[59.13 GB of 2000 GB]
CPU holding steady at 15%
For what you’re paying, wouldn’t hostifi make sense?
Are you using a container or native install of the deb package?
Native install of the deb package.
Yes hostifi would make more sense. My point is to try and figure out what is wrong. I don’t want to set up with hostifi if I don’t have too. I recently found that there is a command being run by the unifi user called dbused. I saw a reddit thread that says this is some sort of virus maybe
https://www.reddit.com/r/Ubiquiti/comments/s6w5rw/psa_my_unifi_controller_was_infected_you_may_want/
I’ve since been able to get access and counted 31 sites and total of 160 devices
What version were you running? Sounds like maybe you could have been pwned via log4j if you were on an impacted version.
I was on 6.5.53 prior to upgrading to 6.5.55. Is there a fix for what you are talking about?
Just be sure to be on the latest version.
personally I’d make a new backup, shutdown the vm, fire up a new vm and follow the excellent step by step instructions below and then restore from the backup…
then do a apt update/upgrade weekly,…which will install latest security updates and the latest unifi controller at the same time
wait a day or so to confirm all ok, then delete the old instance
This is good advice. I was thinking the same thing.
icing on the cake… i also installed syncthing on the same server to automatically sync the folder that the unfi automatically backs upto, to my “syncthing server” running at home (one way sync only) 
US Cybersecurity Dept had a warning with links to tools to detect vulnerability and if you are infected.