Kthreaddk mining virus

OS type and version Ubuntu 18.04
Virtualmin version 6.14

As the tile states, i think i have been hacked with this malware. The thing is, i just can´t kill the process because it keeps coming back and it´s consuming 100% of the cpu and this is giving me problems with the apps i have installed on the server. I already have installed clamAV but it doesn´t detect the issue, meanwhile i have found someone with the same problem here, the only difference is that the name of my process is kthreaddk but i don´t know how to implement the solution because this is not my area of expertise, so i was wondering if anyone could help me with this.

Thanks for your time

Which user is it running under? The top command will tell you that.

If it is not root, then in Virtualmin, disable the virtual server which belongs to the user and restart services / reboot.

The process will not come back. That should fix your problem with 100% CPU usage. You can then restore from a known good copy of the backup of the virtual server you have disabled and take measures to secure it.

If the system has been rooted, you can never trust the system again. You need to restore from backups onto a new system, making sure to patch whatever hole was exploited.

If it hasn’t been rooted, you just need to figure out which user has been exploited and find the mechanism that is starting it (crontab, web app, whatever) and fix it. But, also you can’t trust anything in that user’s home. You need to restore files from last known good backup and make sure you patch whatever allowed the attacker in. Out of date apps are the usual place to start looking.

Install if possible HTOP that is easier then TOP.

Take care while also users or APPS do mining, so mustn’t be a virus at all.

Thanks everyone for helping me, what i did was, i blocked the user and close ports i have opened unnecessarily, i don´t even know why they were opened, and after that reboot as @calport said and now everything is ok.

Thanks again for you time

It is good of you to keep the community informed about your progress and the efficacy of the suggestions offered to you via the forum.

From what I have understood from your most recent message, you have closed some open ports and that has addressed the issue of 100% cpu usage that you were experiencing.

I must caution you that your system will continue to remain vulnerable unless you disable the offending user and secure the user’s account.

I can’t imagine ports have anything to do with it…and if they do, it means the service that was causing problems is still there, it’s just not receiving any orders anymore (but the way it got it would likely still be present, and so exploitable again by the same or a new attacker…and this time they’ll set up something that doesn’t need an open port to operate).

Open ports are almost irrelevant to server security, if you aren’t running services that aren’t supposed to be running and in configurations that are inappropriate for a world-facing server.

1 Like

Hi Joe

Well there were also some strange files(that i have deleted) and also a cron that everytime i tried to kill it, it started again, and that stop happening after i deleted the files, then kill the cron, closed the ports and restart de server, right now i have 2% of use of the server.

Thanks for the heads up.

Did you edit the crontab to remove the offending job? If you haven’t, it’s still there, regardless of ports.

Hi Joe

Yes i did, thanks

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.