recently i've noticed that my server load was constantly 1.0 and i keep wondering what it could be. today i've discovered that a bitcoin miner named Minerd runs on my server under the www-data user and its just killing my server with 99.6% usage. can anyone explain how could that happened. please note: I have the root user password deactivates on this server and i followed The Perfect Server - Ubuntu 11.04[ISPConfig 3] instructions to setup my server on ubuntu. thank you. the Bitcoin miner is located in /tmp directory runs under process number 9347 and under www-data user
Most likely you are affected by the current PHP cgi exploit. Check the php version of your server if it is vulnerable: http://www.howtoforge.com/forums/showthread.php?t=63740
I've investigated the problem on my server a bit and i've noticed that before the bitcoin miners process starts, every time I reboot the server there is another process running under user "nobody" and at description says something like jk_soket or jr_soket. Is this user legitimate? Now I get this error in system log Nov 16 12:00:20 server postfix/sendmail[17845]: fatal: file /etc/postfix/main.cf: parameter default_privs: unknown user name value: nobody The good thing is now that the bitcoin miner has not tart again, Yet, and all the executable file in /tmp directory have disappeared.
If rkhunter says the system is infected, then the best option is to backup the sites, email folders and databases (and a copy of the /etc/ directory as you might need some settings form it on the new server) and then reinstall the system.
