9

Nowadays, my laptop frequently uses high %CPU (300%). I noticed that .dhpcd is involved in high %CPU. I could kill the process without any issue. However, it turns on automatically in about every 30 minutes. Strangely, the user is test in top:

screenshot of top

I am wondering what it is and I would like to know how to fix or disable it completely (if it is okay). I am using Ubuntu 16.04.5.

sudo crontab -l showed no crontab for root.

From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd

This is the result of ls -al:

ls -al output

Quite a while ago, I created a git page just for practice. Something fishy is going on here..

BeastOfCaerbannog
  • 14,585
donghoon
  • 123
  • 2
    Did you install a dhcp server? – George Udosen Dec 12 '18 at 21:48
  • 1
    Hi donghoon. What ist the output of : sudo su test and then whicht .dhpcd ? – Boba Fit Dec 12 '18 at 21:58
  • Some sites seems to list that as a bad guy process. – Doug Smythies Dec 12 '18 at 21:59
  • 1
    Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard. – user535733 Dec 12 '18 at 23:11
  • @George Udosen, I don't recall if I installed a dhcp server. In fact, I don't know what it is. Would you tell me how to check if I have installed a dhcp sever? @Boba Fit, which .dhpcd did not return anything (even if .dhpcd is running). @Doug Smythies, would you tell me the sources? and any suggestion? @user535733, if it is malware, how could i get rid of it? – donghoon Dec 13 '18 at 18:22
  • Run ls -l /etc/dhcp/dhcpd.conf and lets see! – George Udosen Dec 13 '18 at 18:25
  • @George Udosen, I didn't find dhcpd.conf, but have several files in /etc/dhcp. If I run ls -l /etc/dhcp, I see debug, dhclient.conf, ./dhclient-enter-hooks.d, ./dhclient-exit-hooks.d – donghoon Dec 13 '18 at 20:45
  • Ok those are your preinstall dhcpclient for querying a dhcp server! – George Udosen Dec 14 '18 at 09:34
  • 2
    I searched on google with linux ".dhpcd". I think it is malware and it is very new. – Doug Smythies Dec 14 '18 at 15:31
  • @Doug Smythies, Thanks! This is good to know. I did not expect I would have malware with my linux machine; but I learned that it can happen to anyone! – donghoon Dec 14 '18 at 17:11

4 Answers4

2

Thank you all for your help, especially, George Udosen and Doug Smythies.

Some of the things that I did were:

  • top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.

  • Googling with linux ".dhpcd": To learn what it is...

  • sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.

  • sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.

  • sudo deluser --system --remove-all-files test : To remove all files created by a user test.

  • Finally I rebooted my laptop, and the issue has gone.

Note that I don't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I don't know if the issue would have been resolved by deleting only .dhpcd.

BeastOfCaerbannog
  • 14,585
donghoon
  • 123
2

I setup a server a week ago with a very weak password/username (admin:admin) and installed some intrusion detection system I wrote just to see what would happen.

It took just a few hours until the system got hacked and .dhpcd was installed by a malicious intruder. The tool that hides behind .dhpcd is actually xmrig an open source mining software.

So, I strongly suggest that everyone who get's here asking what this program is to reformat your system and setup better and more secure passwords.

In case you wanna know, this is the tool I wrote and used to detect the intrusion the second it happened: https://github.com/snitch-ids/snitch

It basically sends you a message via telegram (or email) as soon as someone logs into your computer. It further detects changes made to your file system.

grmmgrmm
  • 121
1

I am going to suggesting several things:

  1. Unplug your system from the internet and see if that process is still seen in the top window. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.

  2. Search for it in:

    • cronjobs

      • sudo crontab -l: look for strange cronjobs
    • systemd services
      • sudo find / -iname "*dhpc*"

  3. Use top and ps:

    • top:

      1. Start top

      2. press f and use the arrow keys to move and select all the fields that have to do with user and/or userid or id in general. See screen shot below.

        enter image description here

      3. Use the spacebar to select the fields and the press q to quit.

        enter image description here

Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.

George Udosen
  • 36,677
1

These are bloody crypto miners pool.supportxmr.com:80 stealing computing power, which in turn increases cloud budget and importantly uses all CPU, RAM, Swap, virtually leaving no room for your apps to run. The irony is that it looks like an authentic system process so no one gets suspicious of that.

If you kill the PS it'll restart automatically. Locate and delete the source, cron and all related files. To prevent it, don't relay on the default host password, make sure you download open-source software from the right repo and not from random places.

Also follow these steps:

  1. Remove the file:

    rm -rf /home/{/path}/.dhpcd

  2. List the cron:

    crontab -l [options]

  3. Remove cron:

    crontab -r [options]
BeastOfCaerbannog
  • 14,585
lambodar
  • 111