Malware: Droplet being used to mine cryptocurrency | Stratum
I've noticed for some time that my new droplet has been topping out at 100% CPU and for days.
Running htop I've learned of these two files:
13931 www-data 20 0 180M 21344 2652 S 99.3 2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c 13932 www-data 20 0 180M 21344 2652 R 98.7 2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
When I nano /tmp/phpeJCFnP.c I discover:
threads = 1 mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:firstname.lastname@example.org:3333/xmr
When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.
If anyone has encountered this kind of malware and has any advice, please share?