I have a strange process on Ubuntu 14.04 that fires up fairly frequently. It appears as a bash shell in top, I haven't actually located it in ps xfa.
When it runs, top says it's using 215% CPU and my load avg shoots up to 9. There's nothing in the root crontab and I haven't been able to locate anything else. Suggestions?
Found it is PS it has this
23266 ? Sl 106:29 sh -a cryptonight -o stratum+tcp://0x6BBF635F:3333 -u 47EaZKYrX8NBBCE4N1H5zhXn3FR3tFmGYSBQWPPt2Vg8GmCwiGuwKdMbXKHTCCKpAUjU9AJ6Se4PU7G7uDLDoE4h3dtjkck -p x -t 3
That doesn't help me much locate it, or stop it...
#*/30 * * * * /var/tmp/". "/c
was active in a user crontab, looks normal except for the ". " any idea what that does?
Well you're right it was hacked... I left an insecure account available. On the plus side, it didn't have much in the way of permissions so I'm not going to reinstall everything.
the ". " essentially creates a hidden directory, which is inaccessible without using the quotes in the path name. Having finally found the path and removed the dir with extreme prejudice, and secured the account with a /bin/false for the shell. I believe this one is fixed.
ME