3

I have an Ubuntu system running an apache server. I have found a process cache.sh which I think might be a crypto-mining process and which is running all the time on my server consuming up to 98% CPU. This is causing other stuff to stop working like MySQL and apache.

I used the top command to find out that cache.sh is consuming all the CPU.

I have tried killing the process but it starts running again after some time.

I then learned that I could pause the process instead of killing it and that works quite well but I still want to find out what it is and get rid of it permanently. After restarting the whole server this process starts automatically.

The process cache.sh is running under www-data user, which is also responsible for handling the apache process which runs under the same user.

What could I do to find the origin of this process and to resolve this issue?

Zanna
  • 70,465
Deepak
  • 131

1 Answers1

5

Look at the /proc directory for the cache.sh process. Each process has a /proc/<pid>/ directory where it keeps information like:

  • cwd – link to the current working d irectory
  • fd – a directory with links to the open files (file descriptors)
  • cmdline – read it to see what command line was used to start the process
  • environ – the environment variables for that process
  • root – a link to what the process considers its root directory. It will be / unless chrooted.

Running ps auxf will show you who forked what, so you may get a better idea what is calling your process.

Running lsof -p PID shows the files that are opened by the running process.

Source: Linux: How to know where a process was started and how it was started?

karel
  • 114,770