Join Log in
Score:-1
rikkamp avatar Ubuntu

How to kill a process that autostarts

us flag
rikkamp

Recently I started managing a server (hostsed by a cloud provider) for my work. Problem is that the server is injected. Within now and a few months the server will be replaced by a new one in order to solve any threads.

THE QUESTION: In the ubuntu server there is a process I cannot totally backtrack the origin from which is coming back regularly. The process is using ca 80% of all available CPU will come back after being killed. Is there a way to automaticly kill that process when it comes up (always has the same name). Or is there a way to block that process from starting up (process is not listed in startup scripts).

Maybe this question is really dumb or incomplete. Skill set with this is not the greatest. So any advice/tips are welcome.

The process name is called kthzabor and the ubuntu version is 18.04

70
0 + 0
cpu
24601 avatar
in flag
24601
might help to know what the process is and the version of ubuntu as a start. [edit] your question accordingly.
4
Reply
rikkamp avatar
us flag
rikkamp
Will update the question ! Thanks for the feadback
0
Reply
rikkamp avatar
us flag
rikkamp
Thanks for the tips guys ! Just checked crontab on all users but no crons could be found. Also tried an locate kthzabor but it just returned a new terminal line (no results). Will install sysdig ! that is a nice tip. Will update you with those results
0
Reply
rikkamp avatar
us flag
rikkamp
Here the update ! I found the location of the file :D. It was placed in /dev/shm. I delete the file but as expected the issue lays way deeper :0. I now made a script with incron that removes the file everytime it shows up. It probably is not the most cleanest solution but we will be migrating away from this server. @Rinzwind can you post ur answer to this question beceause that is the way of how I found the issue !
0
Reply
cn flag
Rinzwind
I added some extra's :)
0
Reply
Score:0
avatar Ubuntu
cn flag
Rinzwind
  • kthzabor is a crypyo miner.

Use the following commands to see if you can find the offending file:

sudo -i && crontab -l 
crontab -l 
more /etc/crontab 
grep kthzabor /etc/systemd/system/*
sudo updatedb && locate kthzabor

and see if that shows anything.

If those do not you can also do a

sudo find / -name '*kthzabor*' -print

but this will take a while :)

Another one that will help:

pstree -aH {pid of the process to find}

This will list all processes with commands

This time it was located in /dev/shm so to anyone reading this check that one 1st.

Just dealing the offending script is the 1st step: the script will be recreated when removed. Do a sudo chmod 000 kthzabor and it will be unreadable, and undeletable. That might stop it. Might be better than removing it.

sysdig is a tool to trace a process back to what started it. There will be a process active that you need to delete/inactivate. Just removing the offending script is the 1st step.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.