When I run iotop, I get information that python3 /~.pid -x -b is consuming high io.
What is that and how to fix this?
Thanks for your help.
Asked
Active
Viewed 68 times
0
Zanna
- 69,223
- 56
- 216
- 327
Nanang Arema
- 25
- 4
-
...and what makes you think it needs fixing? – mikewhatever Jun 27 '20 at 12:26
-
@mikewhatever because Disk IO (blocks/s) jump to 20K and i got alert from my vps provider – Nanang Arema Jun 28 '20 at 02:31
1 Answers
2
A hidden Py3 script in an unexpected location, that is running as root, and that is generating lots of disk activity?
- That's likely malware. Legitimate software doesn't hide itself in an unexpected location.
- Running as root is particularly worrisome -- it could have installed backdoors, keyloggers, and all manner of nasties.
- Looks like your system has been compromised. An attacker has gained root.
Wipe the compromised system, including all data, and clean-install Ubuntu again.
- Even if you delete the offending file, the attacker had root access and may have installed other nefarious programs on your system.
- Do not attempt to preserve your data. It may be contaminated. Restore data from uncontaminated backups. This is one reason you have backups. Alternately, you can quarantine those files, and run ClamAV on them after the new system is installed. ClamAV is not perfect, and may miss some malware. I suggest isolating and testing the quarantined files in a VM for a few weeks. (Backups are easier)
user535733
- 58,040
- 10
- 106
- 136
-
I don't understand the path ```/~.pid```.It's nonsense to me.How can a file be located in such an address? And also it cannot be even a bash alias.So have you any idea what's that? – Parsa Mousavi Jun 27 '20 at 20:28
-
Thanks for your answer. Now I have created new vps and move my site to new VPS. But i dont delete my hacked vps, i preserve it to learn why i can got hacked. Can you please answer my next question regrading this? https://askubuntu.com/questions/1254440/strange-path-or-folder-on-hacked-vps – Nanang Arema Jun 28 '20 at 02:52
-