hey all
today, while i was checking my server i noticed a weird process in the processes list called “linuxsys”. it seemed suspicious (also because it was maxing out my cpu) so i checked where it was coming from. it was apparently a deleted file under /var/tmp, and that confirmed my initial suspicions that this was malware. it was running as the www-data user, so this had to do something with the www-data -> nginx -> php-fpm -> wordpress chain.
after careful investigation, i found a cron job that gets a couple of files and runs this executable (which was a ZEPH coin miner), and i removed the crontab entry. but even after doing so, the process kept spawning. i digged a bit deeper and saw that there was multiple “Akismet” plugins under my wordpress installation, and they were launching the miner as well. i got rid of them and now the problem seems to be gone, i’ll dig a bit deeper to see if there are any other files that got replaced/infected but yeah, this is just your reminder to always update to the latest version lol
[ad_2]