Ubuntu – Crypto miner malware


I keep finding my server with a 100% CPU usage, and it's an ambiguously named process that's hidden somewhere in the /etc/ folder running under root (always a different folder). The first time I found it I looked it up and confirmed it was a miner, killed the process using kill -9 PID and deleted the folder. But I found it another two times and decided to remove it again, but also change the passwords for the account I use to ssh into the server and also for root, but I just found it again.

Is there a way I can identify how a folder got there as there must be something still on my server that periodically checks for these files and if it doesn't find them downloads or extracts them again.

The miner was sending traffic to the following address: ip162.ip-5-135-85.eu which belongs to https://aeon.miner.rocks/

Can't paste text as I had just deleted the contents, but I had a screenshot taken before that

Best Answer

Do consider re-installing the server.

Check the following places:

  • crontab -l after using sudo -su
  • crontab -l with your admin user
  • contents of /etc/rc.local and /etc/apt/sources.list
  • the directories


    for services you do not recognize.

Those will be the main culprits.

aeon-stak-cpuzheck /bin/ for a aeon-stak-cpu.

Do a locate aeon. That might pop more directories.

I can not find a malware though. aeon is installed from command line so I expect someone has a connection to your machine.

Related Question