Ubuntu – crond64/tsm virus in Ubuntu

Recently I noticed my home server to get painfully slow. All the resources were eaten up by two processes: crond64 and tsm. Even though I repeatedly killed them, they kept showing up again and again.

At the same time, my ISP was notifying me about an abuse originating from my IP address:

==================== Excerpt from log for 178.22.105.xxx====================
Note: Local timezone is +0100 (CET)
Jan 28 20:55:44 shared06 sshd[26722]: Invalid user admin from 178.22.105.xxx
Jan 28 20:55:44 shared06 sshd[26722]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.22.105.xxx
Jan 28 20:55:45 shared06 sshd[26722]: Failed password for invalid user admin from 178.22.105.xxx port 33532 ssh2
Jan 28 20:55:46 shared06 sshd[26722]: Received disconnect from 178.22.105.xxx port 33532:11: Bye Bye [preauth]
Jan 28 20:55:46 shared06 sshd[26722]: Disconnected from 178.22.105.xxx port 33532 [preauth]
Jan 28 21:12:05 shared06 sshd[30920]: Invalid user odm from 178.22.105.xxx
Jan 28 21:12:05 shared06 sshd[30920]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.22.105.xxx
Jan 28 21:12:07 shared06 sshd[30920]: Failed password for invalid user odm from 178.22.105.xxx port 45114 ssh2
Jan 28 21:12:07 shared06 sshd[30920]: Received disconnect from 178.22.105.xxx port 45114:11: Bye Bye [preauth]
Jan 28 21:12:07 shared06 sshd[30920]: Disconnected from 178.22.105.xxx port 45114 [preauth]

I was tipped of by this website that I might have a virus. I run Sophos AV scanning my entire hard drive and indeed it found some virus in /tmp/.mountfs/.rsync. So I deleted the entire folder and thought this is it. But it kept coming back afterwards. Then I checked the user cron file in /var/spool/cron/crontabs/kodi (the virus was running using the user of my media server kodi), which looked like this:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Sun Feb  3 21:52:03 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* */12 * * * /home/kodi/.ttp/a/upd>/dev/null 2>&1
@reboot /home/kodi/.ttp/a/upd>/dev/null 2>&1
5 8 * * 0 /home/kodi/.ttp/b/sync>/dev/null 2>&1
@reboot /home/kodi/.ttp/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.mountfs/.rsync/c/aptitude>/dev/null 2>&1

It looks like, the virus is reactivating itself every once in a while from another directory. The content of that directory is:

>>> ls /home/kodi/.ttp/*
/home/kodi/.ttp/cron.d  /home/kodi/.ttp/dir2.dir

/home/kodi/.ttp/a:
a  bash.pid  config.txt  crond32  crond64  cronda  crondb  dir.dir  pools.txt  run  stop  upd

/home/kodi/.ttp/b:
a  dir.dir  rsync  run  stop  sync

/home/kodi/.ttp/c:
aptitude  dir.dir  go  ip  lib  n  p  run  slow  start  stop  tsm  tsm32  tsm64  v  watchdog

I deleted all these files and the entries in the crontab and hope with this, the problem is solved. However, I would be interested what virus this was, how I might have caught it (it might be connected to Kodi) and what I can do to prevent it. Luckily, it was running only from a user with limited rights, but it still was annoying to deal with.

EDIT

Although I seemingly removed all the remains of this virus (I also removed the entire tmp folder), the virus kept coming back. I realized that there was an entry in ~/.ssh/authorized_hosts, which I definitely did not put myself. This explains how the virus could be replanted repeatedly. I removed the entry, disabled login for that user, disabled password login (passkey only), and use a non-standard port now.

I also noticed repeated login attempts on my server with random user names, probably by some kind of bot (the log looked astonishingly similar to the one launched from my IP, sent to me by my ISP). I guess that is how my computer got infected in the first place.