0

My mini server installed mariadb 10. somedays, my server is very slowly so I checked command ps-ef and top

I checked and there is a suspicious process. Its name is twoamp.

The problem is that the subject that executed this process is mysql.

I searched on Google, but did not get any information about the process called twoamp.

If I kill this process, it will respawn again.

What is the identity of that process?

Can I check the specific log of running process?

ps -ef | grep mysql:

mysql     1154     1  0 10월13 ?      00:16:56 /usr/sbin/mysqld
mysql     2446     1  0 10월13 ?      00:00:04 l64gm64gu3sgptdr
mysql     2457  2446  0 10월13 ?      00:00:00 [sh] <defunct>
mysql     5981  2446  0 10:44 ?        00:00:00 l64gm64gu3sgptdr
mysql     5982  5981  0 10:44 ?        00:00:00 sh -c export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;ps x | grep twoamp | grep -v grep | grep -v export | grep -v wget > /dev/null || /tmp/twoamp random 2>&1
mysql     5988  5982  0 10:44 ?        00:00:00 /tmp/twoamp random
mysql     5989  5988  2 10:44 ?        00:00:11 /tmp/twoamp random

I didn't find l64gm64gu3sgptdr

S. Baek
  • 1
  • Your server is likely compromised and is being used by some third party for their own purposes. You need to restore the server from known good backups and then make sure all your updates are properly installed. – Tero Kilkanen Oct 15 '21 at 13:57
  • @TeroKilkanen Thans your answer. Unfortunately, I don't have server software, configure backup file :( but I have data backup So, I will reinstall os, db, etc. thanks! – S. Baek Oct 19 '21 at 08:16

0 Answers0