crond64/tsm virus in Ubuntu

I had the same. The service installed rsync and got some files. I found a dota.tar.gz file in the user folder.

  1. deny port 22 outgoing in firewall (e.g. ufw deny out 22)
  2. pkill -KILL -u kodi ( this kills all running processes of user kodi)
  3. deluser kodi
  4. remove userhome
  5. remove rsync (I didn't use this)
  6. remove /tmp/.mountfs*

Please take note this will probably ruin things for kodi. Instead of removing the whole userhome you can probably only remove dota.tar.gz (if it's there) and the .ttp folder (do not forget to clean the crontab!)

After a reboot I don't see any outgoing connections anymore (check with:

netstat -peanut | grep 22

Infection happened via a user with a weak password (kodi account with the default password maybe?)


In my case the source of infection was a user thad dind't change his unsafe password from when I created his account (of course I told him to). My server probably is on some lists: i get around 1000 bans a week from fail2ban (try 4 times with a wrong user or password and be blocked for a month)


I had the same malware. Entry was through an unsave user password via ssh (non-default port), was detected and removed after roughly 24 hours.

In my case, deleting the user's crontab, rm -rdf /tmp/.*, rm -rdf /home/user/.*, killall -u user was enough.