Issue
I'm running a Jira and a Confluence instance (and nginx reverse proxy) on a VPS. Currently, I can't start the confluence for some reason and I think this is a consequence of something else.
I've checked the process list:
The confluence user running the /boot/vmlinuz process and it eats the CPU. If I kill -9 this process it starts again a few seconds later.
After reboot the VPS:
- Confluence and Jira started automatically.
- Confluence is running a few seconds correctly then something kills the process. The Jira process is still running.
- The
/boot/vmlinuzprocess starts.
I've removed the Confluence from the automatic start, but it doesn't matter.
So my questions:
- What is this
/boot/vmlinuzprocess? I never saw this. (Yes I know, the vmlinuz is the kernel) - Why is starting over and over again and runs on 100% CPU?
- What should I do to get back the normal behavior and may I start the Confluence?
Thanks any for answer
UPDATE
It caused by a hack. If you find a /tmp/seasame file, your server is infected. It uses the cron to download this file. I've removed the files in the /tmp folder, killed all the processes, disabled the cron for the confluence user, and updated the Confluence.
Solution
Your server looks like hacked.
Please take a look on process list closely.
e.g. run ps auxc and take a look on process binary sources.
You can use tools like rkhunter to scan your server but in general you should at the beginning kill everything that has been lunched as confluence user, scan your server/account, upgrade your confluence (in most cases user determinate source of attack), and look in your confluence for additional accounts etc.
Is you would like to see what is in that process, take a look on /proc e.g. in ls -la /proc/996. You will see source binary there too. You can also lunch strace -ff -p 996 to see what process is doing or cat /proc/996/exe | strings to see what strings that binary have. This is probably some kind of botnet part, miner etc.
Answered By - Mariusz Dalewski Answer Checked By - Marie Seifert (WPSolving Admin)
