Strange process running cause high 100% CPU usage

Question

I am having problem with strange Process running by user Postgres:

I had tried killing it in htop (SIGTERM), but it then restarted immediately. It only stopped when I removed the execution file /tmp/suhahoi.

But the next day, the strange file was automatically created and ran again. Below is the chart from google cloud showing the high CPU usage:

Does anyone know what it is and how I can prevent this from happening? Thank you!

Answer 1

I had similar experience. Somebody has got into your server via postgres db. If you go into your /var/lib/postgresql/ and check the content of the folder with ls -lah, you might be seeing the strange and suspicious hidden folders containing some bash scripts. Content of the bash scripts might be base64 encoded. In my case, I have found out that somebody has been mining monero via my virtual servers.

How I have fixed it:

• close 5432 port to public (use ssh tunnels)
• change password for db user
• remove all the suspicious scripts in mentioned postgres folder

Answer 2

Your server seems to be hacked. It appears to be downloading and running an executable file called suhahoi.

The htop command shows the arguments given to this executable file. The arguments seem to be base64 encoded. You can try to base64 decode the argument.

I suggest you install an anti virus script such as ClamAV and also anti malware script such as rkhunter. If that does not fix your problem, then you should reinstall your server.