I need urgent confirmation regarding a suspicious process running on my server.
I have a process named “[/usr/share/webm]” (notice the missing “in”) that is constantly consuming around 80% CPU.
It is located in /usr/share/webm but the permissions are set to d--------- (000), and I get “Operation not permitted” when trying to remove it as root (it seems to have immutable attributes set).
The “dpkg -S /usr/share/webm” command returns “no path found”.
Is this a legitimate Webmin file/process? Or is it a known crypto miner masquerading as Webmin?
It appears as in the process list but the load remains high.
It’s probably not actually consuming 80% all the time, only for a split second when you look at it.
It’s probably not /usr/share/webm it’s probably just being truncated from /usr/share/webmin/somefilename.
It’s probably not malware.
Watch your server in top on an ssh session (not using Webmin, which can spike usage for a moment, when using the System Processes module or using the Webmin Terminal for system inspection). If you continue to see continuous high usage in top in an ssh session, then you know you have a problem you want to look into.
