For last few weeks, there has been weird activity in my Ubuntu test server. Please check the below screenshot from htop. Everyday this weird service (which seems like a cryptocurrency mining service) is running and taking 100% of CPU.
My server is only accessible through ssh key and password login has been disabled. I have tried to find any file with this name, but couldn't find any.
Can you please help me with the below issues
- How to find the process location from process ID?
- How do I completely remove this?
- Any idea how this may got into my server? The server runs mainly test version of few Django deployments.
Best Answer
As explained by other answers it's a malware that uses your computer to mine cryptocoins. Good news is that it's unlikely to be doing anything else than using your CPU and electricity.
Here is a bit more information and what you can do to fight back once you've got rid of it.
The malware is mining an altcoin called monero to one of the largest monero pools, crypto-pool.fr. That pool is legitimate and they are unlikely to be the source of the malware, that's not how they make money.
If you want to annoy whoever wrote that malware, you could contact the administrator of the pool (there is an email on the support page of their site). They don't like botnets so if you report to them the address used by the malware (the long string that starts with
42Hr...), they will probably decide to suspend the payments to that address which will make the life of the hacker who wrote that piece of sh.. a bit more difficult.This may help too: How can I kill minerd malware on an AWS EC2 instance? (compromised server)