3

I have an Ubuntu system running an apache server. I have found a process cache.sh which I think might be a crypto-mining process and which is running all the time on my server consuming up to 98% CPU. This is causing other stuff to stop working like MySQL and apache.

I used the top command to find out that cache.sh is consuming all the CPU.

I have tried killing the process but it starts running again after some time.

I then learned that I could pause the process instead of killing it and that works quite well but I still want to find out what it is and get rid of it permanently. After restarting the whole server this process starts automatically.

The process cache.sh is running under www-data user, which is also responsible for handling the apache process which runs under the same user.

What could I do to find the origin of this process and to resolve this issue?

Zanna
  • 69,223
  • 56
  • 216
  • 327
Deepak
  • 131
  • 3
  • 2
    Possible duplicate of [I think I've been hacked, what can I do?](https://askubuntu.com/questions/694351/i-think-ive-been-hacked-what-can-i-do) – muru Oct 16 '18 at 05:26
  • 1
    You can use the `lsof` command to find the files that are opened by the running process. This will help you the find the directory where the `cache.sh` file is located. Usage: `lsof -p PID` , where PID is the actual PID of the process. – RoseHosting Oct 16 '18 at 16:55
  • `locate cache.sh` will find the file. `dlocate -S cache.sh` will let you know if it came from a package. – waltinator Oct 20 '18 at 03:36

1 Answers1

5

Look at the /proc directory for the cache.sh process. Each process has a /proc/<pid>/ directory where it keeps information like:

  • cwd – link to the current working d irectory
  • fd – a directory with links to the open files (file descriptors)
  • cmdline – read it to see what command line was used to start the process
  • environ – the environment variables for that process
  • root – a link to what the process considers its root directory. It will be / unless chrooted.

Running ps auxf will show you who forked what, so you may get a better idea what is calling your process.

Running lsof -p PID shows the files that are opened by the running process.

Source: Linux: How to know where a process was started and how it was started?

karel
  • 110,292
  • 102
  • 269
  • 299