Malware: Droplet being used to mine cryptocurrency | Stratum

October 2, 2017 1.3k views
Security Apache Ubuntu 16.04

I've noticed for some time that my new droplet has been topping out at 100% CPU and for days.
Running htop I've learned of these two files:

13931 www-data   20   0  180M 21344  2652 S 99.3  2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
13932 www-data   20   0  180M 21344  2652 R 98.7  2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c

When I nano /tmp/phpeJCFnP.c I discover:

threads = 1
mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:x@monerohash.com:3333/xmr

When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.

If anyone has encountered this kind of malware and has any advice, please share?

1 Answer
Have another answer? Share your knowledge.