I keep finding my server with a 100% CPU usage, and it's an ambiguously named process that's hidden somewhere in the /etc/ folder running under root (always a different folder). The first time I found it I looked it up and confirmed it was a miner, killed the process using
kill -9 PID and deleted the folder. But I found it another two times and decided to remove it again, but also change the passwords for the account I use to ssh into the server and also for root, but I just found it again.
Is there a way I can identify how a folder got there as there must be something still on my server that periodically checks for these files and if it doesn't find them downloads or extracts them again.
The miner was sending traffic to the following address: ip162.ip-5-135-85.eu which belongs to https://aeon.miner.rocks/