Faced such a problem, the field of buying VPS from hetsner, for reasons that are not clear to me, someone infinitely runs the standard console commands who , netstat and others. It would have remained unnoticed if they did not fully load the processor.

enter image description here

If I kill any process that loads the most

 kill -9 13213

then netstat starts immediately, and so on. lsof shows:

enter image description here

Run:

 rkhunter -c -sk chkrootkit

When trying to run:

 lsof -c 13213

Issues nothing.

In /proc/{pid}/maps see this

enter image description here

/usr/bin/uspezmpywh - this file naturally constantly changes after the killing process. In him: enter image description here

Found nothing significant. In the system itself, if you look through who only one authorized user. Initially, many different people had access to the system, so anything could go there. With such a face the first time. I would be grateful for any hint.

UPD: To /proc/{pid}/status :

enter image description here

In /etc/init nothing could be found in /etc/init.d/{name_proc} :

enter image description here

  • Comments are not intended for extended discussion; conversation moved to chat . - PashaPash

1 answer 1

https://habrahabr.ru/post/248933/

HEUR: Trojan-DDoS.Linux.Xarcen.a

  • Please try to publish detailed answers containing a specific example of the minimum solution, supplementing them with a link to the source. Answers –references (as well as comments) do not add knowledge to the Runet. - Nicolas Chabanovsky