I’ve noticed for some time that my new droplet has been topping out at 100% CPU and for days. Running htop I’ve learned of these two files:
13931 www-data 20 0 180M 21344 2652 S 99.3 2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c 13932 www-data 20 0 180M 21344 2652 R 98.7 2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
When I nano /tmp/phpeJCFnP.c I discover:
threads = 1 mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:firstname.lastname@example.org:3333/xmr
When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.
If anyone has encountered this kind of malware and has any advice, please share?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $100 of credit to try our products over 60 days!