Process with weird random name consuming significant network and CPU resources. Is someone hacking me?

In a VM on a cloud provider, I’m seeing a process with weird random name. It consumes significant network and CPU resources.

Here’s how the process looks like from pstree view:

systemd(1)───eyshcjdmzg(37775)─┬─{eyshcjdmzg}(37782)
                               ├─{eyshcjdmzg}(37783)
                               └─{eyshcjdmzg}(37784)

I attached to the process using strace -p PID. Here’s the output I’ve got: https://gist.github.com/gmile/eb34d262012afeea82af1c21713b1be9.

Killing the process does not work. It is somehow (via systemd?) resurrected. Here’s how it looks from systemd point of view (note the weird IP address at the bottom):

$ systemctl status 37775
● session-60.scope - Session 60 of user root
   Loaded: loaded
Transient: yes
  Drop-In: /run/systemd/system/session-60.scope.d
           └─50-After-systemd-logindx2eservice.conf, 50-After-systemd-user-sessionsx2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
   Active: active (abandoned) since Tue 2018-03-06 10:42:51 EET; 1 day 1h ago
    Tasks: 14
   Memory: 155.4M
      CPU: 18h 56min 4.266s
   CGroup: /user.slice/user-0.slice/session-60.scope
           ├─37775 cat resolv.conf
           ├─48798 cd /etc
           ├─48799 sh
           ├─48804 who
           ├─48806 ifconfig eth0
           ├─48807 netstat -an
           ├─48825 cd /etc
           ├─48828 id
           ├─48831 ps -ef
           ├─48833 grep "A"
           └─48834 whoami

Mar 06 10:42:51 k8s-master systemd[1]: Started Session 60 of user root.
Mar 06 10:43:27 k8s-master sshd[37594]: Received disconnect from 23.27.74.92 port 59964:11:
Mar 06 10:43:27 k8s-master sshd[37594]: Disconnected from 23.27.74.92 port 59964
Mar 06 10:43:27 k8s-master sshd[37594]: pam_unix(sshd:session): session closed for user root

What is going on?!

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

eyshcjdmzg is a Linux DDoS trojan (easily found through a Google search). You’ve likely been hacked.

Take that server off-line now. It’s not yours any longer.

Please read the following ServerFault Q/A carefully: How to deal with a compromised server.

Note that depending on who you are and where you are, you may additionally be legally obliged to report this incident to authorities. This is the case if you are working at a government agency in Sweden (e.g. a university), for example.

Related:

• How can I kill minerd malware on an AWS EC2 instance? (compromised server)
• Need help understanding suspicious SSH commands

Method 2

Yes. A google search for eyshcjdmzg indicates that your server has been compromised.

See How do I deal with a compromised server? for what to do about that (in short, wipe the system and re-install from scratch – you can’t trust anything on it. I hope you have backups of important data and config files)

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0