1

A process occupies a lot of CPU, and when I kill it by kill -9, it just re-runs with another name. enter image description here How can I find it out, kill and delete it?. Its parent pid is 1, started by root user, and on the directory of /usr/bin with a random hex name like 3b62ba238f. And when I try to kill it, it just re runs with another new name/command. For example, if I kill the process 15459 in the first picture, another process starts to run with a new name/command. enter image description here The both occupy a lot of CPU and with the parent id of 1.

The syslog prints the following when the new process starts enter image description here How can I find, shut down and delete the process/file?

The malware was found following the steps below.

  1. Find the service corresponding to the process.
systemctl status <PID>

enter image description here Locate the service file, stop and remove the service. Then delete the files.

systemctl stop pmapx_start_2
systemctl disable pmapx_start_2
rm -f /etc/systemd/system/multi-user.target.wants/pmapx_start_2.service
rm -f /usr/sbin/route_forbidden-close
  • have you examined, e.g. /proc/22730/cmdline? note that proc/*/cmdline is in NUL separated format so probably best to use hd aka hexdump instead of just cat. that might give you something to grep for in your system's startup files (which will vary depending on which init you're using, probably systemd as it's the default for most distros these days) – cas Jun 02 '21 at 08:01
  • Also, look in /proc/22730/fd to see what files and/or sockets it has open. Use something like ls -lF, because you want to see the symlink targets. – cas Jun 02 '21 at 08:04
  • 3
    It looks like you're infected and running some malware/crypto miner. Consider this system 100% compromised and unfit for use. Wipe it clean (all the disks completely) and reinstall. – Artem S. Tashkinov Jun 02 '21 at 10:36
  • 2
    most likely infected but it's a good idea to investigate and confirm before wiping. – cas Jun 02 '21 at 11:31
  • 2
    Have you tried merely suspending the process? This will give you chance to do some investigation. kill -s STOP <pid>. – Jeremy Boden Jun 02 '21 at 12:26
  • Thanks guys for the advice. The process was shut down. But to be honest, I don't know which operations shut it down. For more information, every time I try to kill -9 the syslog prints 3 line logs:ubuntu systemd[1]: Stopped System function loader.., –  Jun 03 '21 at 01:01
  • ubuntu systemd[1]: Starting System function loader...., and ubuntu systemd[1]: Started System function loader... If the process is a normal system process, I don't know why its behavior was abnormal. The process was keeping running since April 1st the last time I rebooted until I noticed it these days. I thought the key step was that I remove the clamav, apt-get remove clamav-base, cause I really do nothing more than that. I don't know why, but it just worked. –  Jun 03 '21 at 01:15
  • I was wrong. The process shows again today. And can't be killed. –  Jun 04 '21 at 03:09
  • And can't be killed. When I killed the current process, a new process just shows up a few later with a different command. But they both in the /usr/bin directory with a random hex name and the same file size. The syslog prints the following when the new process starts, ubuntu systemd[1]: Stopped System function loader.. ubuntu systemd[1]: Starting System function loader.... ubuntu systemd[1]: Started System function loader... –  Jun 04 '21 at 03:17
  • Does this answer your question? How can I kill minerd malware on an AWS EC2 instance? (compromised server). Look also here and especially here. – pLumo Jun 04 '21 at 04:56
  • Thanks, link is helpful. I think I find out and delete the service that consuming the CPU, it looks like a miner malware. –  Jun 04 '21 at 06:16

0 Answers0