I was having exactly the same problem on Ubuntu 16.04. I am also suspecting some kind of coin mining virus, could not find out what it was, but solved it by replacing the user account (on another PC with the same problem, I just deleted some settings folders for the current affected user and rebooted).

I posted a question here on "askubuntu" and I got no answer except mine. My old settings files are available to anyone who is capable of locating a virus.

I also think that this thread should be moved from Linux Mint to something more general since it is affecting other distros too.

sorry, but considering it is these three processes:

... i really don't see how these could be leveraged for bitcoin mining.
afaik, bitcoining exploits run through your browser & javascript.
otoh, it is of course possible that an ingenious hacker called his bitcoin mining exploit script "systemctl".

as has been said before, without any actual research, troubleshooting, evidence - i would rather not make such unfounded claims.

A process that holds my CPU at 50+ % for hours and disappears seconds after I ran "top" and stays disappeared until I stop "top"...
A process with a different name every time but exactly the same behavior...
A process normally owned by root and not the user....

Is very very likely to be some malware.
The only reason I suspect coin mining is the high CPU usage.
I would like to do some research but I don't know how to start.
Any help would be appreciated!

1 members found this post helpful.

see, now you start providing that information.
keep going!

one first thing i would try would be to see if this is gui dependent, if it only happens when certain applications are opened, or connected to the internet... it's called troubleshooting.

Hi everybody!,

I was also experiencing the same issues running latest Xubuntu LTE, updated.
I also noted problems with my internet connection (DNS failures, low response).
The offending task could have several names. There was (of course) a main task monitoring the system and reopening the CPU angry one.
Running "top", even if renamed, made the child task kill itself. The only way to see the task running was through task manager.
If you deleted the offending files they would reapear.

So... Grabbed my Holmes hat, my House cane, and this is what I have found.


This autostart file seems to have the code that makes the virus run at startup:
~/.config/autostart/dbus-daemon.desktop

The exec code line:

This files seems to have the code to make the virus gain privileges:
~/.profile
~/.bashrc
~/.bash_profile

The code:

Since this files had a timestamp of 20:33, I searched for all files modified right after (there were a few more but I already deleted them for test purposes):
dom 20 jan 2019 20:33:19 WET ./.bash_profile
dom 20 jan 2019 20:33:19 WET ./.bashrc
dom 20 jan 2019 20:33:19 WET ./.config/autostart/dbus-daemon.desktop
dom 20 jan 2019 20:33:19 WET ./.profile
dom 20 jan 2019 20:33:19 WET ./.local/share/accounts/services/.dbus-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.log
dom 20 jan 2019 20:33:24 WET ./.kodi/addons/script.module.python.requests/lib/requests/packages/urllib3/connectionpool.py
dom 20 jan 2019 20:34:06 WET ./.local/share/accounts/services/.dbus-daemon.sys
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/icc-daemon
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/.icc-daemon.sys
dom 20 jan 2019 20:34:44 WET ./.local/share/accounts/services/dbus-daemon


The dissemination seems to create 3 files:
One timestamp
One base64 lookalike
The offending script


What I've done:
1- Delete autostart file
2- Delete offending code from ~/.profile, ~/.bashrc, ~/.bash_profile
3- Empty ~/.cache folder
4- Empty /tmp folder
5- Restart


I don't know what this virus does. I did save the HEX file if someone wants to inspect any further.
As I don't know how my machine got infected, (that Kodi urllib3 file looks suspicious!) I can't guarantee this is a final solution, though all seems OK now...
I will keep my system in check the next few days to see if this was all there was.

I hope this helps someone.
Forgive my poor English...

1 members found this post helpful.

Hi everybody!,

I was also experiencing the same issues running latest Xubuntu LTE, updated.
I also noted problems with my internet connection (DNS failures, low response).
The offending task could have several names (systemctl, sleep, ibus-x11, ...). There was (of course) a main task monitoring the system and reopening the CPU angry one.
Running "top", even if renamed, made the child task kill itself. The only way to see the task running was through task manager.
If you deleted the offending files they would reapear.

So... Grabbed my Holmes hat, my House cane, and this is what I have found.


This autostart file seems to have the code that makes the virus run at startup:
The exec code line:

This files seems to have the code to make the virus gain privileges:
~/.profile
~/.bashrc
~/.bash_profile

The code:

Since this files had a timestamp of 20:33, I searched for all files modified right after (there were a few more but I already deleted them for test purposes):
dom 20 jan 2019 20:33:19 WET ./.bash_profile
dom 20 jan 2019 20:33:19 WET ./.bashrc
dom 20 jan 2019 20:33:19 WET ./.config/autostart/dbus-daemon.desktop
dom 20 jan 2019 20:33:19 WET ./.profile
dom 20 jan 2019 20:33:19 WET ./.local/share/accounts/services/.dbus-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.bin
dom 20 jan 2019 20:33:19 WET ./.local/share/icc/.icc-daemon.log
dom 20 jan 2019 20:33:24 WET ./.kodi/addons/script.module.python.requests/lib/requests/packages/urllib3/connectionpool.py
dom 20 jan 2019 20:34:06 WET ./.local/share/accounts/services/.dbus-daemon.sys
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/icc-daemon
dom 20 jan 2019 20:34:08 WET ./.local/share/icc/.icc-daemon.sys
dom 20 jan 2019 20:34:44 WET ./.local/share/accounts/services/dbus-daemon


The dissemination seems to create 3 files:
One timestamp
One base64 lookalike
The offending script


What I've done:
1- Delete autostart file;
2- Delete offending code from ~/.profile, ~/.bashrc, ~/.bash_profile
3- Delete all dissemination files
3- Empty ~/.cache folder
4- Empty /tmp folder
5- Restarted


I don't know what this virus does. I did save the HEX file if someone wants to inspect any further.
As I don't know how my machine got infected, (that Kodi urllib3 file looks suspicious!) I can't guarantee this is a final solution, though all seems OK now...
I will keep my system in check the next few days to see if this was all there was.

I hope this helps someone.
Forgive my poor English...

1 members found this post helpful.

A little more info...
I also have a machine running LibreElec.
Decided to investigate and it is also infected...

yes, that's the crucial question:
where did you get it from?

if anyone's wondering, i did not investigate any deeper than this, but it does seem to be some sort of malware.

just one point:
i'm not exactly sure what setsid does, but it does not "gain privileges" for anything.

The virus is probably some kind of bit coin mining process considering the very high cpu usage.
I had an issue with a mikrotik router I use in my local network and internet. These routers had a vulnerability last spring that was fixed with an update. I did not update my router in time and got a mining virus in all my windows machines but it is said that this vulnerability was also used to infect linux machines as well.

I also find most of the files that you mention above except the .kodi/... one

@ondoho
"does not gain privileges for anything"
Ouchhh!!!
I think you miswrote "good contribution".


I probably shouldn't have wrote "privileges" because it could be wrongly interpreted, in a rooty way, as you did. My bad. Just trying to contribute, especially after almost everybody dismissed this for not having evidences.

SETSID
https://linux.die.net/man/2/setsid

DISOWN
https://www.slashroot.in/disown-comm...-example-usage



As I said, I have no idea how I got this virus. lot of bad practices... "A system is as secure as his user"!
I'm keeping my machine under surveillance and if I find anything that can help somebody I will post here.

After an upgrade, the System Monitor displays high cpu utilization across all threads, of about 30 percent.

From Synaptic reinstalling the metacity package appears to restore my laptop to a low cpu utilization of a few percent.

Since the High CPU thread has more than one root cause, with hesitation I mark solved

I am using Linux Mint 18.3, Kernel 4.15.0-96

But Firefox use Restores the High CPU state ! It looks like the problem is in Firefox