0

So lately, every time I start up my Linux server, all two CPUs are 100% utilised, and when I check the processes running, I see a process called "S01wipefs" taking up all my CPU.

CPU utilisation

When I type "which S01wipefs", I get: /usr/bin/which: no S01wipefs in (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin) Essentially, nothing.

Please, how do I resolve this?

Akin_Glen
  • 101
  • 1

2 Answers2

0

By googling it, it seems to be a malware, so all bets are off what happens if you try to remove/kill it. The safest, without knowing how it works, is bring the system offline as soon as possible, and try to salvage everything important by mounting the data partitions (noexec, readonly) on a more fresh system. Check later for malware-specific removal instructions if not yet available. Note that whichever way the malware got on your system, it may still be open.

That being said, if you don't care about the safety of the rest of your data or your network, you can try stopping it with kill -STOP and try to find all its other components. /proc/PID/exe as a link, /proc/PID/fd for the used files, and the contents of /proc/PID/maps are usually revealing about what it does, and what other components does it rely on to be restarted.

chexum
  • 131
  • 1
  • 4
0

If it's malware (and it certainly sounds like it) your best bet is to wipe and rebuild the machine. There's no telling what might be infected or whether you've backed up the infection itself without some serious forensics.

There's a canonical answer here: How do I deal with a compromised server? that goes into a lot more detail and has some excellent advice.

shearn89
  • 3,143
  • 2
  • 14
  • 39