I have recently been facing an issue on my azure VM server, where my CPU usage has been going up to 98-99% continuously. When i used the top command i got the below results
top - 08:55:27 up 23:14, 1 user, load average: 4.15, 4.09, 4.09
Tasks: 164 total, 1 running, 81 sleeping, 4 stopped, 0 zombie
%Cpu(s): 99.7 us, 0.3 sy, 0.0 ni, 0.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 16397628 total, 10897276 free, 3089136 used, 2411216 buff/cache
KiB Swap: 0 total, 0 free, 0 used. 12937048 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3638 www-data 20 0 2889004 2.293g 4212 S 393.0 14.7 332:12.23 [kthreaddi]
16191 root 20 0 318068 43112 19280 S 5.0 0.3 0:00.15 php
15462 azureus+ 20 0 44564 4212 3500 R 0.3 0.0 0:00.68 top
1 root 20 0 225552 9428 6740 S 0.0 0.1 0:18.06 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kthreadd
3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kb
9 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq
10 root 20 0 0 0 0 S 0.0 0.0 0:03.04 ksoftirqd/0
11 root 20 0 0 0 0 I 0.0 0.0 0:15.99 rcu_sched
12 root rt 0 0 0 0 S 0.0 0.0 0:00.69 migration/0
13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0
14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1
15 root rt 0 0 0 0 S 0.0 0.0 0:01.22 migration/1
16 root 20 0 0 0 0 S 0.0 0.0 0:01.21 ksoftirqd/1
18 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kb
19 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/2
20 root rt 0 0 0 0 S 0.0 0.0 0:01.47 migration/2
21 root 20 0 0 0 0 S 0.0 0.0 0:01.21 ksoftirqd/2
23 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/2:0H-kb
24 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/3
25 root rt 0 0 0 0 S 0.0 0.0 0:01.39 migration/3
26 root 20 0 0 0 0 S 0.0 0.0 0:01.15 ksoftirqd/3
28 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/3:0H-kb
29 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs
Then i used the lsof command on the process with highest pid (kthreaddi) below is the output
sudo lsof -p 3638
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
[kthreadd 3638 www-data cwd DIR 8,1 4096 2 /
[kthreadd 3638 www-data rtd DIR 8,1 4096 2 /
[kthreadd 3638 www-data txt REG 8,1 4026976 2849348 /home/azureuse/.azure/logs/.2rpAIMRq/[kthreaddi] (deleted)
[kthreadd 3638 www-data mem REG 8,1 97072 2228 /lib/x86_64-linux- gnu/libresolv-2.27.so
[kthreadd 3638 www-data mem REG 8,1 26936 2221 /lib/x86_64-linux-gnu/libnss_dns-2.27.so
[kthreadd 3638 www-data mem REG 8,1 179152 2196 /lib/x86_64-linux-gnu/ld-2.27.so
[kthreadd 3638 www-data mem REG 8,1 2030928 2212 /lib/x86_64-linux-gnu/libc-2.27.so
[kthreadd 3638 www-data mem REG 8,1 47568 2222 /lib/x86_64-linux-gnu/libnss_files-2.27.so
[kthreadd 3638 www-data 0r CHR 1,3 0t0 6 /dev/null
[kthreadd 3638 www-data 1w CHR 1,3 0t0 6 /dev/null
[kthreadd 3638 www-data 2w CHR 1,3 0t0 6 /dev/null
[kthreadd 3638 www-data 3r CHR 1,9 0t0 11 /dev/urandom
[kthreadd 3638 www-data 4u a_inode 0,14 0 11294 [eventpoll]
[kthreadd 3638 www-data 5r FIFO 0,13 0t0 4667155 pipe
[kthreadd 3638 www-data 6w FIFO 0,13 0t0 4667155 pipe
[kthreadd 3638 www-data 7r FIFO 0,13 0t0 4666248 pipe
[kthreadd 3638 www-data 8w FIFO 0,13 0t0 4666248 pipe
[kthreadd 3638 www-data 9u a_inode 0,14 0 11294 [eventfd]
[kthreadd 3638 www-data 10u a_inode 0,14 0 11294 [eventfd]
[kthreadd 3638 www-data 11u a_inode 0,14 0 11294 [eventfd]
[kthreadd 3638 www-data 12r CHR 1,3 0t0 6 /dev/null
As you can see the process /home/azureuse/.azure/logs/.2rpAIMRq/[kthreaddi] (deleted) seems to be already deleted. Even after i kill the process. My CPU usage goes down to about 0.7% to 1.0%. Then, It comes back taking the similar amount of resources and slowing down my server. I've read this is some kind of crypto mining malware. kindly help
My Ubuntu version is Ubuntu 20.04.2 LTS.
