By Ur4nus
I’ve noticed for some time that my new droplet has been topping out at 100% CPU and for days. Running htop I’ve learned of these two files:
13931 www-data 20 0 180M 21344 2652 S 99.3 2.1 19h31:03 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
13932 www-data 20 0 180M 21344 2652 R 98.7 2.1 19h30:56 /tmp/phpeJCFnP_fkk2qr2rqjikiewz -c /tmp/phpeJCFnP.c
When I nano /tmp/phpeJCFnP.c I discover:
threads = 1
mine = stratum+tcp://44XNuUyCFUgjG23yPfCHpb572jwWanhYn7KZtiRcGmMoHc9BG9iZp5cVasUtz5Sq2GiJv8qoGDDVs6PXajCJumfdJbrR1P7:x@monerohash.com:3333/xmr
When I delete these files they simply return in some form. I suspect there is a file on the apache2 server that these guys are accessing.
If anyone has encountered this kind of malware and has any advice, please share?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
This comment has been deleted
In the case of any kind of infection, the recommended course of action is to back up the Droplet’s contents and redeploy a new one, making sure to only transfer over known files (i.e. your own) and to properly secure it (use ssh keys, disable root login, run apps and programs with only the security permissions that they need, etc.)
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.