Miner bot taking up CPU on old server

Question

I've been asked to take a look at an old web server (Ubuntu 12.04) which has been running very slow recently.

After a quick check I found a process constantly topping the cpu:

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
26331 root      20   0  413m 1728 1188 S  400  0.0 740:47.17 Welcom

It was running from the /tmp directory where I found these 3 files

/tmp
-rw-rw-rw-  1 root         root            11624 Dec 29 14:50 tmplog
-rwxrwxrwx  1 root         root                0 Jan  9 04:12 Wel*
-rwxrwxrwx  1 root         root          1659720 Jan  6 22:18 Welcom*

the tmplog file kinda suggested it was a cryptocurrency miner:

tmplog top line
CMD: /bin/wipefs -B -o stratum+tcp://pool.minexmr.com:443 -u 45WnHu.......

I immediately removed the files from /tmp /bin and /etc/init.d which were linked to these executables, stopped the process and disabled root ssh login.

A minute or so later the Welcom file was back in /tmp and the process was up and running again.

I did some research and found these:

https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar

https://www.hybrid-analysis.com/sample/4d289aac77e0e2e7b8d109dd1fa4f6ac2079d64d98e97ce0b6c24462c228547e?environmentId=300

But I only managed to locate the templog wipefs from the list of files. The templog is no longer updated but the Welcom executable gets recreated in both /tmp and /bin

How can I get rid of this without thrashing the box? Any help would be much appreciated.