Mfcttrf

Film where a boy turns into a princess

Character Frequency in a String

Inadvertently nuked my disk permission structure - why?

Area of parallelogram = Area of square. Shear transform

Other than a swing wing, what types of variable geometry have flown?

Is Grandpa Irrational? Another Grandpa Mystery

How to optimize IN query on indexed column

Determine if a triangle is equilateral, isosceles, or scalene

Why is the return type for ftell not fpos_t?

Is it normal practice to screen share with a client?

Keeping an "hot eyeball planet" wet

How can I prevent corporations from growing their own workforce?

How do campaign rallies gain candidates votes?

Why do people say "I am broke" instead of "I am broken"?

This message is flooding my syslog, how to find were it comes from?

Monty Hall Problem with a Fallible Monty

Memory capability and powers of 2

Why are angular mometum and angular velocity not necessarily parallel, but linear momentum and linear velocity are always parallel?

Spoken encryption

Is the apartment I want to rent a scam?

Problem loading expl3 in plain TeX

If my business card says 〇〇さん, does that mean I'm referring to myself with an honourific?

What do teaching faculty do during semester breaks?

Is there a published campaign where a missing artifact or a relic is creating trouble by its absence?

Strange Cron Job takes up 100% of CPU Ubuntu 18 LTS Server

List what a CRON Job is doingCron job not executing?Cron job not executingRunning CRON job on Ubuntu server for SugarCRMCron job isn't workingCron job every secondCron job not runningUbuntu Server cron job doesn't workCron job,crontabCron job stopped workingsetting up rsync cron job, not executing

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

1

I keep getting weir cron jobs showing up and I have no clue what they do. I typically issue kill -9 to stop them. They take up 100% of my CPU and can run for days until I check. Does anyone know what this means?

sudo crontab -l
0 0 */3 * * /root/.firefoxcatche/a/upd>/dev/null 2>&1
@reboot /root/.firefoxcatche/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.firefoxcatche/b/sync>/dev/null 2>&1
@reboot /root/.firefoxcatche/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.X13-unix/.rsync/c/aptitude>/dev/null 2>&1

I am running Ubuntu 18 LTS server fully up-to-date as of yesterday 7/24/2019

server cron rsync

share|improve this question

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  .firefoxcatche probably doesn't have anything to do with firefox – could this just be a bitcoin miner? Try uploading the executables to virustotal.
  
  – Thom Wiggers
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How do I do that?
  
  – MCP_infiltrator
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I can't find the crontab to hash it out
  
  – MCP_infiltrator
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  "I can't find the crontab to hash it out " what does that mean? why would sudo crontab -e to edit not work? But if this is a cryptominer you did not install... those will be re-added. 1st look in "/root/.firefoxcatche/a/upd" what it does.
  
  – Rinzwind
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  "Do I have to log in as root to get there? " This is a question I do not expect to see from a administrator. You really need to know what you are doing from now on. Change the admin password ASAP. Inspect the files listed in cron. Eradicate them.
  
  – Rinzwind
  9 hours ago
  

  
  
  
  

 | 
show 6 more comments

3

1

I keep getting weir cron jobs showing up and I have no clue what they do. I typically issue kill -9 to stop them. They take up 100% of my CPU and can run for days until I check. Does anyone know what this means?

sudo crontab -l
0 0 */3 * * /root/.firefoxcatche/a/upd>/dev/null 2>&1
@reboot /root/.firefoxcatche/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.firefoxcatche/b/sync>/dev/null 2>&1
@reboot /root/.firefoxcatche/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.X13-unix/.rsync/c/aptitude>/dev/null 2>&1

I am running Ubuntu 18 LTS server fully up-to-date as of yesterday 7/24/2019

server cron rsync

share|improve this question

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  .firefoxcatche probably doesn't have anything to do with firefox – could this just be a bitcoin miner? Try uploading the executables to virustotal.
  
  – Thom Wiggers
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How do I do that?
  
  – MCP_infiltrator
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I can't find the crontab to hash it out
  
  – MCP_infiltrator
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  "I can't find the crontab to hash it out " what does that mean? why would sudo crontab -e to edit not work? But if this is a cryptominer you did not install... those will be re-added. 1st look in "/root/.firefoxcatche/a/upd" what it does.
  
  – Rinzwind
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  "Do I have to log in as root to get there? " This is a question I do not expect to see from a administrator. You really need to know what you are doing from now on. Change the admin password ASAP. Inspect the files listed in cron. Eradicate them.
  
  – Rinzwind
  9 hours ago
  

  
  
  
  

 | 
show 6 more comments

I keep getting weir cron jobs showing up and I have no clue what they do. I typically issue kill -9 to stop them. They take up 100% of my CPU and can run for days until I check. Does anyone know what this means?

sudo crontab -l
0 0 */3 * * /root/.firefoxcatche/a/upd>/dev/null 2>&1
@reboot /root/.firefoxcatche/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.firefoxcatche/b/sync>/dev/null 2>&1
@reboot /root/.firefoxcatche/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.X13-unix/.rsync/c/aptitude>/dev/null 2>&1

I am running Ubuntu 18 LTS server fully up-to-date as of yesterday 7/24/2019

server cron rsync

share|improve this question

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

sudo crontab -l
0 0 */3 * * /root/.firefoxcatche/a/upd>/dev/null 2>&1
@reboot /root/.firefoxcatche/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.firefoxcatche/b/sync>/dev/null 2>&1
@reboot /root/.firefoxcatche/b/sync>/dev/null 2>&1
#5 1 * * * /tmp/.X13-unix/.rsync/c/aptitude>/dev/null 2>&1

share|improve this question

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

share|improve this question

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

asked 10 hours ago

MCP_infiltratorMCP_infiltrator

14499 bronze badges

1 Answer
1

active

oldest

votes

9

Your machine most likely has a crypto miner infection. You can see someone else reporting similar filenames and behaviour: https://msandbu.org/real-life-detection-of-a-virtual-machine-in-azure-with-security-center/. See also https://www.reddit.com/r/linuxquestions/comments/9fnggy/my_ubuntu_server_has_a_virus_ive_located_it_but_i/.

You can no longer trust that machine, and should re-install it. Be careful with restoring backups.

share|improve this answer

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I agree. root password got compromised so re-install and be very careful with the backup; it could also be on there.
  
  – Rinzwind
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Womp womp womp womp sigh
  
  – MCP_infiltrator
  9 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1161003%2fstrange-cron-job-takes-up-100-of-cpu-ubuntu-18-lts-server%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

9

Your machine most likely has a crypto miner infection. You can see someone else reporting similar filenames and behaviour: https://msandbu.org/real-life-detection-of-a-virtual-machine-in-azure-with-security-center/. See also https://www.reddit.com/r/linuxquestions/comments/9fnggy/my_ubuntu_server_has_a_virus_ive_located_it_but_i/.

You can no longer trust that machine, and should re-install it. Be careful with restoring backups.

share|improve this answer

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I agree. root password got compromised so re-install and be very careful with the backup; it could also be on there.
  
  – Rinzwind
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Womp womp womp womp sigh
  
  – MCP_infiltrator
  9 hours ago
  

  
  
  
  

add a comment | 

9

Your machine most likely has a crypto miner infection. You can see someone else reporting similar filenames and behaviour: https://msandbu.org/real-life-detection-of-a-virtual-machine-in-azure-with-security-center/. See also https://www.reddit.com/r/linuxquestions/comments/9fnggy/my_ubuntu_server_has_a_virus_ive_located_it_but_i/.

You can no longer trust that machine, and should re-install it. Be careful with restoring backups.

share|improve this answer

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I agree. root password got compromised so re-install and be very careful with the backup; it could also be on there.
  
  – Rinzwind
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Womp womp womp womp sigh
  
  – MCP_infiltrator
  9 hours ago
  

  
  
  
  

add a comment | 

Your machine most likely has a crypto miner infection. You can see someone else reporting similar filenames and behaviour: https://msandbu.org/real-life-detection-of-a-virtual-machine-in-azure-with-security-center/. See also https://www.reddit.com/r/linuxquestions/comments/9fnggy/my_ubuntu_server_has_a_virus_ive_located_it_but_i/.

You can no longer trust that machine, and should re-install it. Be careful with restoring backups.

share|improve this answer

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

share|improve this answer

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges

answered 10 hours ago

Thom WiggersThom Wiggers

25211 silver badge66 bronze badges