Hello everyone! I really am stuck and would love some help from you guys!
I have a Ubuntu Server running the latest release, and recently when I look at top or htop I will see hundreds of processes named "tsm", running in the directory
(which doesn't exist). Each is using only ~1% of CPU, but added all up it's alot, especially when the first one at the top of the list is taking 90%+ CPU, on top of all that there is a command that says
/bin/bash 50 .go
running as a process taking 90%+ CPU. AND ON TOP OF THAT, there is rsync running at 100% CPU CONSTANTLY.
If I kill the /bin/bash 50 .go process, everything else completely disappears and the server is back to normal... for like an hour, then everything comes right back... all of it.
Now, using a combination of htop and webmin I was able to find that the process is originating from the following directory:
This entire directory holds really weird files that just scream virus... Like for instance, this is the file "go" in the directory /tmp/.ssh/.rsync/c:
Here is the entire directory of /tmp/.ssh/.rsync to download, just be careful because I don't know what is in there that is causing the damage to my server, don't execute anything. There are also IPs in the files that go to Chinese websites when I go to them.
It should be pretty simple to just delete it, right? Nope. If I delete it, it just reappears, within like an hour, and goes back on it's rampage. I recently had the great idea to chmod 0000 all the files. I've done that and all the "tsm" processes went away, but now 2 more files in /tmp appeared: tdd2.sh & tdd2.sh.1 and the process rsync is on top at 100% maxing my server's CPU out. I'm going to try to chmod those 2 files right now, but maybe more files will appear again? I was just going to remove rsync, but ubuntu-standard requires it and I've looked around and it seems there is no way to disable it.
Has anybody ever encountered this before?
Any help anybody can give would be much appreicated as I've looked all over and can't figure out one bit how to get rid of this thing.
Also, please ask my any questions if you need anymore information.
EDIT: I forgot to add the link to the directory, I don't know if anything else can be found from all the files that are there... It's above as well as here: link