Home / ubuntu / Questions / 1084141
In Process
Deepak
Asked: 2018-10-16 21:12:00 +0800 CST

How can I find the origin of a process and stop it permanently?

  • 772

I have an Ubuntu system running an apache server. I have found a process cache.sh which I think might be a crypto-mining process and which is running all the time on my server consuming up to 98% CPU. This is causing other stuff to stop working like MySQL and apache.

I used the top command to find out that cache.sh is consuming all the CPU.

I have tried killing the process but it starts running again after some time.

I then learned that I could pause the process instead of killing it and that works quite well but I still want to find out what it is and get rid of it permanently. After restarting the whole server this process starts automatically.

The process cache.sh is running under www-data user, which is also responsible for handling the apache process which runs under the same user.

What could I do to find the origin of this process and to resolve this issue?

apache2 malware hacking

1 Answers

  1. Look at the /proc directory for the cache.sh process. Each process has a /proc/<pid>/ directory where it keeps information like:

    • cwd – link to the current working d irectory
    • fd – a directory with links to the open files (file descriptors)
    • cmdline – read it to see what command line was used to start the process
    • environ – the environment variables for that process
    • root – a link to what the process considers its root directory. It will be / unless chrooted.

    Running ps auxf will show you who forked what, so you may get a better idea what is calling your process.

    Running lsof -p PID shows the files that are opened by the running process.

    Source: Linux: How to know where a process was started and how it was started?

    • 5