I've been asked to take a look at an old web server (Ubuntu 12.04) which has been running very slow recently.
After a quick check I found a process constantly topping the cpu:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
26331 root 20 0 413m 1728 1188 S 400 0.0 740:47.17 Welcom
It was running from the /tmp directory where I found these 3 files
/tmp
-rw-rw-rw- 1 root root 11624 Dec 29 14:50 tmplog
-rwxrwxrwx 1 root root 0 Jan 9 04:12 Wel*
-rwxrwxrwx 1 root root 1659720 Jan 6 22:18 Welcom*
the tmplog file kinda suggested it was a cryptocurrency miner:
tmplog top line
CMD: /bin/wipefs -B -o stratum+tcp://pool.minexmr.com:443 -u 45WnHu.......
I immediately removed the files from /tmp /bin and /etc/init.d which were linked to these executables, stopped the process and disabled root ssh login.
A minute or so later the Welcom file was back in /tmp and the process was up and running again.
I did some research and found these:
But I only managed to locate the templog wipefs from the list of files. The templog is no longer updated but the Welcom executable gets recreated in both /tmp and /bin
How can I get rid of this without thrashing the box? Any help would be much appreciated.
