I set a JupyterHub (v 1.1) server for a class I am teaching using tmpauthenticator and systemdspawner.
I noticed that the server was slow recently and it turns out that a crypto miner was running on it. Apparently, it was installed using a Mozi botnet. Even though I kill the mining process, the cpu miner comes back a couple of days later.
Any suggestions on how to block this malware would be greatly appreciated.I am using Ubuntu 18.04
does it actually come back, e.g. does the miner start again? that might just be something knocking you.
But the fact that it was exploited once and that you’re still concerned suggests you might want to burn it with fire and start over… scripting (and improving) your deployment with
ansible, etc. is likely well worth your time, and the only way to stay ahead of the script kiddies.
Thank you for the suggestion @bollwyvl . It seems that the miner starts again indeed.
I am bit puzzled because this Mozi botnet is able to install the miner although I don’t allow users to have sudo rights nor wget.