Suspected exploit log_rotari2

Boris Zinchenko

1/10/23, 12:24 PM

Recently performance of my Ubuntu 18 server heavily degraded. I found in process list the following process, which consumes all CPU of my server.

./log_rotari2 --coin monero -o suxsuxsux.com:3333 -u linux -p linux --nicehash --donate-level=1 --cpu-priority=5 --cpu-no-yield -k -B

Maybe somebody knows what it is and how to remove this process? Sorry my knowlege of Ubuntu is very limited. Thank you.

Update: System is Ubuntu Linux 18.04.5, Linux 4.15.0-156-generic on x86_64

Following valuable comments, I found this extra info about this process.

Current dir Directory   4096    2   /  
Root dir    Directory   4096    2   / 
Program code    Regular file    6289312 19267940    /tmp/xmrig-6.14.1/log_rotari2 (deleted) 
2u  Regular file    1807    19141142    /tmp/#19141142 (deleted)

It seems that the process has been created and then its executable was deleted from the disk. I cannot even find executable file.

156

0 + 0

malware

guiverc

1/10/23, 12:27 PM

Ubuntu 18? No such release, so do you mean it's a Ubuntu Core 18 server product? Ubuntu products using the *year* format are different to the more common *year.month* format products.

Rinzwind

1/10/23, 12:30 PM

https://forums.docker.com/t/redis-alpine-malware/105143 https://blog.aquasec.com/container-attacks-on-redis-servers

Rinzwind

1/10/23, 12:32 PM

There is only one correct answer: reinstall from a clean installation medium. Removing the thread is not a solution. Your admin account should be considered exposed and there could be a script on your system buried into another script that is waiting for you to remove it :)

Alejandro

1/10/23, 12:34 PM

It looks like some kind of cryptocurrency mining bot, but is difficult to assess without more details. If you know the `pid` of the process (e.g. from the `top` command), you can find the path to the executable by running `sudo ls -l /proc/xxxxxx/exe` where `xxxxxx` is the `pid` of the process. You should then be able to remove the executable. (*Nonetheless* I agree with @Rinzwind and I would recommend a clean install.)

Rinzwind

1/10/23, 12:36 PM

@Alejandro it looks like a miner indeed but the 2 links use the same `log_rotari2` for executing a ddos :) And that leads me to believe is it more than a miner

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Suspected exploit log_rotari2

TH: Suspected exploit log_rotari2

RO: Suspected exploit log_rotari2

RU: Suspected exploit log_rotari2

VI: Suspected exploit log_rotari2

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.