Cryptomining Malware - Ubuntu - Stratum tcp
I had same problem, and I've narrowed down, hackers were able to intrude in some old and non-upgraded, wordpress.
Probably the best and fastest way to see who is consuming how much time on your Ubuntu 16.04.3 server is to install htop
sudo apt install htop
then type sudo htop
It will show you under which username is eating how much CPU
And if you identify some process that's eating much cpu, you can check it by lsof -p <pid>
lsof stands for list open files, to see it's full set of commands, type man lsof
However, it all depends upon how is your PHP being executed, and what hackers actually have done to your system.
Another good way to see, what is Apache exactly doing is to enable mod_status
Usually, on newer ubuntu's it's:
sudo a2enmod status
And after that add this to your 000-default.conf website:
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1
Require ip ::1
Require ip X.X.X.X
</Location>
Replace X with your actual IP...
Or you can access it with lync for example from your server's console like
lynx 127.0.0.1/server-status
And the output should look like:
On my other post https://security.stackexchange.com/questions/172396/some-bot-keeps-posting-this-to-my-server/172571 you can see how to improve security of your server and prevent such attacks.