how to disable ./watchbog process

Question

./watchbog is using up 198% of my cpu processor and mem 52%. Solar is the user. I tried stopping solar service but of no use. Watchbog is still running and using up as much space.

Did you try executing this `echo '0' > /proc/sys/kernel/nmi_watchdog` as a root user. — Nazia Jahan Trisha, Jan 16 '20 at 12:38
If your server has been hacked you need to do more than stopping the offending process. — Aaron Copley, Jan 18 '20 at 00:24

score 0 · Answer 1 · answered Jan 17 '20 at 01:44

'watchbog' is a crypto miner stager which sets up xmrig on the system.

There is a guide written on how to remove a common instance of it here. This does not mean the procedure to remove yours will be exactly the same, but the guide will definitely be of assistance.

It sounds like your system has been breached. Stopping this process is not going to keep it from coming back in the long run. I suggest employing a firewall, checking for unknown listener sockets, and newly added authentication keys that do not belong.

thank you for your response. – Bineesh Bintaz Jan 17 '20 at 05:31 — Bineesh Bintaz, Jan 17 '20 at 05:31

score 0 · Answer 2 · answered Jan 17 '20 at 03:19

Last time my VPS also got this problem. When run, see using top or PS and check which user that run it. After that you can see the cron of the user either using crontab -e or on /etc/cron.X/user or on /var/spool/cron and clean it. If it's not cleaned, find again where's the file belong, as far as I know, watchbog that I encountered is using curl to run it's process. Last time I uninstall curl first and clean the cron then wait a while, also don't forget to change the user password that's breached. When watchbog come into your system, it means some of your user password compromised and if your server have public ssh server then try to block user that brute force to login using fail2ban.

thank you, i find the same – Bineesh Bintaz Jan 17 '20 at 05:28 — Bineesh Bintaz, Jan 17 '20 at 05:28

score 0 · Answer 3 · edited Jan 17 '20 at 23:48

Here is what I did to remove the Watchblog virus: I found watchbog virus in one of my linux machine and here is what I did step by step that I finally manage to kill the virus. The virus is having a hidden process that create cronjob and use up the CPU. This can be detected by the following command:

ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10
%CPU   PID USER     COMMAND
198.2%  8128 root     ./watchbog
31.5  8116 root     ./watchbog
31.4  8140 root     ./watchbog

So what to do? First, check the content of the crontab:

crontab -l

#

Thus,if there any cronjob unverify, the virus is automatically creating crontab. We can remove the crontab using the following command:

crontab –r

Then we can check if it is already empty using the following command:

ls /var/spool/cron/crontabs

Then, we remove the cron job and then kill the process.

crontab -r while true ; do killall watchbog ; done

Let us see again if it works.

crontab -l ps -eo pcpu,pid,user,args | sort -k 1 -r | head -10

There is no more watchbog. Then do not forget to change the password sudo passwd root

how to disable ./watchbog process

3 Answers3

#