Re: What is .dhpcd command and how to disable it?
Nowadays, my laptop frequently uses high %CPU (300%). I noticed that .dhpcd is involved in high %CPU. I could kill the process without any issue. However, it turns on automatically in about every 30 minutes. Strangely, the user is test in top (See the attached). I am wondering what it is, I would like to know how to fix or disable it completely (if it is okay). I am using ubuntu 16.04.5
The image is a capture from top while .dhpcd was on.
cpu-load
edited Dec 12 '18 at 21:56
Boba Fit
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
|
show 5 more comments
Nowadays, my laptop frequently uses high %CPU (300%). I noticed that .dhpcd is involved in high %CPU. I could kill the process without any issue. However, it turns on automatically in about every 30 minutes. Strangely, the user is test in top (See the attached). I am wondering what it is, I would like to know how to fix or disable it completely (if it is okay). I am using ubuntu 16.04.5
The image is a capture from top while .dhpcd was on.
cpu-load
edited Dec 12 '18 at 21:56
Boba Fit
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
2
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
1
Hi donghoon. What ist the output of :sudo su testand thenwhicht .dhpcd?
– Boba Fit
Dec 12 '18 at 21:58
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
1
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
1
I searched on google withlinux ".dhpcd". I think it is malware and it is very new.
– Doug Smythies
Dec 14 '18 at 15:31
|
show 5 more comments
Nowadays, my laptop frequently uses high %CPU (300%). I noticed that .dhpcd is involved in high %CPU. I could kill the process without any issue. However, it turns on automatically in about every 30 minutes. Strangely, the user is test in top (See the attached). I am wondering what it is, I would like to know how to fix or disable it completely (if it is okay). I am using ubuntu 16.04.5
The image is a capture from top while .dhpcd was on.
cpu-load
edited Dec 12 '18 at 21:56
Boba Fit
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
Nowadays, my laptop frequently uses high %CPU (300%). I noticed that .dhpcd is involved in high %CPU. I could kill the process without any issue. However, it turns on automatically in about every 30 minutes. Strangely, the user is test in top (See the attached). I am wondering what it is, I would like to know how to fix or disable it completely (if it is okay). I am using ubuntu 16.04.5
The image is a capture from top while .dhpcd was on.
cpu-load
cpu-load
edited Dec 12 '18 at 21:56
Boba Fit
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
edited Dec 12 '18 at 21:56
Boba Fit
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
edited Dec 12 '18 at 21:56
Boba Fit
484212
edited Dec 12 '18 at 21:56
Boba Fit
484212
edited Dec 12 '18 at 21:56
Boba Fit
484212
484212
asked Dec 12 '18 at 21:43
donghoondonghoon
183
asked Dec 12 '18 at 21:43
donghoondonghoon
183
asked Dec 12 '18 at 21:43
donghoondonghoon
183
183
2
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
1
Hi donghoon. What ist the output of :sudo su testand thenwhicht .dhpcd?
– Boba Fit
Dec 12 '18 at 21:58
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
1
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
1
I searched on google withlinux ".dhpcd". I think it is malware and it is very new.
– Doug Smythies
Dec 14 '18 at 15:31
|
show 5 more comments
2
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
1
Hi donghoon. What ist the output of :sudo su testand thenwhicht .dhpcd?
– Boba Fit
Dec 12 '18 at 21:58
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
1
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
1
I searched on google withlinux ".dhpcd". I think it is malware and it is very new.
– Doug Smythies
Dec 14 '18 at 15:31
2
2
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
1
1
Hi donghoon. What ist the output of :
sudo su test and then whicht .dhpcd ?– Boba Fit
Dec 12 '18 at 21:58
Hi donghoon. What ist the output of :
sudo su test and then whicht .dhpcd ?– Boba Fit
Dec 12 '18 at 21:58
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
1
1
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
1
1
I searched on google with
linux ".dhpcd". I think it is malware and it is very new.– Doug Smythies
Dec 14 '18 at 15:31
I searched on google with
linux ".dhpcd". I think it is malware and it is very new.– Doug Smythies
Dec 14 '18 at 15:31
|
show 5 more comments
3 Answers
3
active
oldest
votes
I am going to suggesting several things:
Unplug your system from the internet and see if that process is still seen in the
topwindow. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.
Search for it in:
cronjobs
sudo crontab -l: look for strange cronjobs
- systemd services
sudo find / -iname "*dhpc*"
Use
topandps:
top:
- Start top
press f and use the
arrowkeys to move and select all thefieldsthat have to do withuserand/oruseridoridin general. See screen shot below.
Use the spacebar to select the fields and the press q to quit.
Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
1
Shouldn't step 2 part 2 be*dhpc*instead of*dhcp*?
– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to*dhpc*.
– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,.dhpcddid not start offline. As soon as I turn online, the process started.
– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
|
show 3 more comments
sudo crontab -l showed no crontab for root.
From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd
Also, the attached picture is capture from top.
This is the result of `'ls -al':
Quite a while ago, I created git page just for practice. Something fish is going on here..
answered Dec 14 '18 at 16:58
donghoondonghoon
183
What is the content of .dhcpd? What is the content ofsudo crontab -l -u test? Something is triggering it...
– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT.dhpcdrunning. The output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after.dhpcdstarts.
– donghoon
Dec 14 '18 at 17:50
While.dhpcdis running, the output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/nullIt is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the usertestas George Udosen suggested.
– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (usecrontab -eto edit), and verify other files such as.bashrc, and remove.dhcpd.
– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:sudo deluser --system --remove-all-files test. However, your system will still be suspect.
– Doug Smythies
Dec 14 '18 at 18:58
|
show 1 more comment
Thank you all for your help, especially, George Udosen and Doug Smythies.
Some of the most practical commands were:
top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.
Googling with linux ".dhpcd": To learn what it is...
sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.
sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.
sudo deluser --system --remove-all-files test : To remove all files created by a user test.
Finally I rebooted my laptop, and the issue has gone.
Note that I didn't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I do now know if the issue would have been resolved by deleting only .dhpcd.
answered Dec 15 '18 at 21:53
donghoondonghoon
183
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1100467%2fre-what-is-dhpcd-command-and-how-to-disable-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I am going to suggesting several things:
Unplug your system from the internet and see if that process is still seen in the
topwindow. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.
Search for it in:
cronjobs
sudo crontab -l: look for strange cronjobs
- systemd services
sudo find / -iname "*dhpc*"
Use
topandps:
top:
- Start top
press f and use the
arrowkeys to move and select all thefieldsthat have to do withuserand/oruseridoridin general. See screen shot below.
Use the spacebar to select the fields and the press q to quit.
Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
1
Shouldn't step 2 part 2 be*dhpc*instead of*dhcp*?
– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to*dhpc*.
– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,.dhpcddid not start offline. As soon as I turn online, the process started.
– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
|
show 3 more comments
I am going to suggesting several things:
Unplug your system from the internet and see if that process is still seen in the
topwindow. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.
Search for it in:
cronjobs
sudo crontab -l: look for strange cronjobs
- systemd services
sudo find / -iname "*dhpc*"
Use
topandps:
top:
- Start top
press f and use the
arrowkeys to move and select all thefieldsthat have to do withuserand/oruseridoridin general. See screen shot below.
Use the spacebar to select the fields and the press q to quit.
Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
1
Shouldn't step 2 part 2 be*dhpc*instead of*dhcp*?
– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to*dhpc*.
– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,.dhpcddid not start offline. As soon as I turn online, the process started.
– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
|
show 3 more comments
I am going to suggesting several things:
Unplug your system from the internet and see if that process is still seen in the
topwindow. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.
Search for it in:
cronjobs
sudo crontab -l: look for strange cronjobs
- systemd services
sudo find / -iname "*dhpc*"
Use
topandps:
top:
- Start top
press f and use the
arrowkeys to move and select all thefieldsthat have to do withuserand/oruseridoridin general. See screen shot below.
Use the spacebar to select the fields and the press q to quit.
Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
I am going to suggesting several things:
Unplug your system from the internet and see if that process is still seen in the
topwindow. If gone then perhpas some one or process installed by some one is using your CPU perhaps for data minning. Then which ever try the steps below.
Search for it in:
cronjobs
sudo crontab -l: look for strange cronjobs
- systemd services
sudo find / -iname "*dhpc*"
Use
topandps:
top:
- Start top
press f and use the
arrowkeys to move and select all thefieldsthat have to do withuserand/oruseridoridin general. See screen shot below.
Use the spacebar to select the fields and the press q to quit.
Now see what PPID, SUSER, RUSER, SUID says about that process. To trace the culprit.
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
edited Dec 14 '18 at 15:39
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
answered Dec 14 '18 at 10:00
George UdosenGeorge Udosen
20.5k94467
20.5k94467
1
Shouldn't step 2 part 2 be*dhpc*instead of*dhcp*?
– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to*dhpc*.
– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,.dhpcddid not start offline. As soon as I turn online, the process started.
– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
|
show 3 more comments
1
Shouldn't step 2 part 2 be*dhpc*instead of*dhcp*?
– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to*dhpc*.
– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,.dhpcddid not start offline. As soon as I turn online, the process started.
– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
1
1
Shouldn't step 2 part 2 be
*dhpc* instead of *dhcp*?– Doug Smythies
Dec 14 '18 at 15:30
Shouldn't step 2 part 2 be
*dhpc* instead of *dhcp*?– Doug Smythies
Dec 14 '18 at 15:30
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
Yea your right let me update that!
– George Udosen
Dec 14 '18 at 15:38
@Doug Smythies, @George Udosen : Yes, I changed to
*dhpc*.– donghoon
Dec 14 '18 at 16:48
@Doug Smythies, @George Udosen : Yes, I changed to
*dhpc*.– donghoon
Dec 14 '18 at 16:48
@George Udosen, By the way,
.dhpcd did not start offline. As soon as I turn online, the process started.– donghoon
Dec 14 '18 at 17:06
@George Udosen, By the way,
.dhpcd did not start offline. As soon as I turn online, the process started.– donghoon
Dec 14 '18 at 17:06
You created user test?
– George Udosen
Dec 14 '18 at 17:10
You created user test?
– George Udosen
Dec 14 '18 at 17:10
|
show 3 more comments
sudo crontab -l showed no crontab for root.
From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd
Also, the attached picture is capture from top.
This is the result of `'ls -al':
Quite a while ago, I created git page just for practice. Something fish is going on here..
answered Dec 14 '18 at 16:58
donghoondonghoon
183
What is the content of .dhcpd? What is the content ofsudo crontab -l -u test? Something is triggering it...
– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT.dhpcdrunning. The output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after.dhpcdstarts.
– donghoon
Dec 14 '18 at 17:50
While.dhpcdis running, the output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/nullIt is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the usertestas George Udosen suggested.
– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (usecrontab -eto edit), and verify other files such as.bashrc, and remove.dhcpd.
– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:sudo deluser --system --remove-all-files test. However, your system will still be suspect.
– Doug Smythies
Dec 14 '18 at 18:58
|
show 1 more comment
sudo crontab -l showed no crontab for root.
From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd
Also, the attached picture is capture from top.
This is the result of `'ls -al':
Quite a while ago, I created git page just for practice. Something fish is going on here..
answered Dec 14 '18 at 16:58
donghoondonghoon
183
What is the content of .dhcpd? What is the content ofsudo crontab -l -u test? Something is triggering it...
– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT.dhpcdrunning. The output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after.dhpcdstarts.
– donghoon
Dec 14 '18 at 17:50
While.dhpcdis running, the output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/nullIt is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the usertestas George Udosen suggested.
– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (usecrontab -eto edit), and verify other files such as.bashrc, and remove.dhcpd.
– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:sudo deluser --system --remove-all-files test. However, your system will still be suspect.
– Doug Smythies
Dec 14 '18 at 18:58
|
show 1 more comment
sudo crontab -l showed no crontab for root.
From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd
Also, the attached picture is capture from top.
This is the result of `'ls -al':
Quite a while ago, I created git page just for practice. Something fish is going on here..
answered Dec 14 '18 at 16:58
donghoondonghoon
183
sudo crontab -l showed no crontab for root.
From sudo find / -iname "*dhpc*" , I found this: /home/test/.dhpcd
Also, the attached picture is capture from top.
This is the result of `'ls -al':
Quite a while ago, I created git page just for practice. Something fish is going on here..
answered Dec 14 '18 at 16:58
donghoondonghoon
183
answered Dec 14 '18 at 16:58
donghoondonghoon
183
answered Dec 14 '18 at 16:58
donghoondonghoon
183
answered Dec 14 '18 at 16:58
donghoondonghoon
183
183
What is the content of .dhcpd? What is the content ofsudo crontab -l -u test? Something is triggering it...
– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT.dhpcdrunning. The output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after.dhpcdstarts.
– donghoon
Dec 14 '18 at 17:50
While.dhpcdis running, the output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/nullIt is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the usertestas George Udosen suggested.
– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (usecrontab -eto edit), and verify other files such as.bashrc, and remove.dhcpd.
– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:sudo deluser --system --remove-all-files test. However, your system will still be suspect.
– Doug Smythies
Dec 14 '18 at 18:58
|
show 1 more comment
What is the content of .dhcpd? What is the content ofsudo crontab -l -u test? Something is triggering it...
– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT.dhpcdrunning. The output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after.dhpcdstarts.
– donghoon
Dec 14 '18 at 17:50
While.dhpcdis running, the output is18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/nullIt is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the usertestas George Udosen suggested.
– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (usecrontab -eto edit), and verify other files such as.bashrc, and remove.dhcpd.
– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:sudo deluser --system --remove-all-files test. However, your system will still be suspect.
– Doug Smythies
Dec 14 '18 at 18:58
What is the content of .dhcpd? What is the content of
sudo crontab -l -u test? Something is triggering it...– vidarlo
Dec 14 '18 at 17:34
What is the content of .dhcpd? What is the content of
sudo crontab -l -u test? Something is triggering it...– vidarlo
Dec 14 '18 at 17:34
@vidarlo I just ran your command WITHOUT
.dhpcd running. The output is 18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after .dhpcd starts.– donghoon
Dec 14 '18 at 17:50
@vidarlo I just ran your command WITHOUT
.dhpcd running. The output is 18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null. I will run your command again after .dhpcd starts.– donghoon
Dec 14 '18 at 17:50
While
.dhpcd is running, the output is 18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null It is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the user test as George Udosen suggested.– donghoon
Dec 14 '18 at 18:21
While
.dhpcd is running, the output is 18 * * * * /home/test/.dhpcd -o ca.minexmr.com:4444 -t3 -B >/dev/null 2>/dev/null It is actually the same..haha.. @vidalo , Do you have any more suggestion? Otherwise, I will delete the user test as George Udosen suggested.– donghoon
Dec 14 '18 at 18:21
Best bet would be to remove the line from crontab (use
crontab -e to edit), and verify other files such as .bashrc, and remove .dhcpd.– vidarlo
Dec 14 '18 at 18:24
Best bet would be to remove the line from crontab (use
crontab -e to edit), and verify other files such as .bashrc, and remove .dhcpd.– vidarlo
Dec 14 '18 at 18:24
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:
sudo deluser --system --remove-all-files test. However, your system will still be suspect.– Doug Smythies
Dec 14 '18 at 18:58
You have been compromised, and your computer is being used to mine crypto currency. Myself, I would delete the test user and all its files:
sudo deluser --system --remove-all-files test. However, your system will still be suspect.– Doug Smythies
Dec 14 '18 at 18:58
|
show 1 more comment
Thank you all for your help, especially, George Udosen and Doug Smythies.
Some of the most practical commands were:
top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.
Googling with linux ".dhpcd": To learn what it is...
sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.
sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.
sudo deluser --system --remove-all-files test : To remove all files created by a user test.
Finally I rebooted my laptop, and the issue has gone.
Note that I didn't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I do now know if the issue would have been resolved by deleting only .dhpcd.
answered Dec 15 '18 at 21:53
donghoondonghoon
183
add a comment |
Thank you all for your help, especially, George Udosen and Doug Smythies.
Some of the most practical commands were:
top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.
Googling with linux ".dhpcd": To learn what it is...
sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.
sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.
sudo deluser --system --remove-all-files test : To remove all files created by a user test.
Finally I rebooted my laptop, and the issue has gone.
Note that I didn't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I do now know if the issue would have been resolved by deleting only .dhpcd.
answered Dec 15 '18 at 21:53
donghoondonghoon
183
add a comment |
Thank you all for your help, especially, George Udosen and Doug Smythies.
Some of the most practical commands were:
top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.
Googling with linux ".dhpcd": To learn what it is...
sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.
sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.
sudo deluser --system --remove-all-files test : To remove all files created by a user test.
Finally I rebooted my laptop, and the issue has gone.
Note that I didn't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I do now know if the issue would have been resolved by deleting only .dhpcd.
answered Dec 15 '18 at 21:53
donghoondonghoon
183
Thank you all for your help, especially, George Udosen and Doug Smythies.
Some of the most practical commands were:
top : To figure out which command was taking all my CPU; I found .dhpcd was using all my CPU. Note that it is different from dhcpcd.
Googling with linux ".dhpcd": To learn what it is...
sudo find / -iname "*dhpc*" : To figure out which directory contained .dhpcd.
sudo userdel -r test : To get rid of a user test. This was because .dhpcd was executed by a suspicious user called test.
sudo deluser --system --remove-all-files test : To remove all files created by a user test.
Finally I rebooted my laptop, and the issue has gone.
Note that I didn't remember if I had created the user test. Since I don't use the account, I deleted everything related to it. I do now know if the issue would have been resolved by deleting only .dhpcd.
answered Dec 15 '18 at 21:53
donghoondonghoon
183
answered Dec 15 '18 at 21:53
donghoondonghoon
183
answered Dec 15 '18 at 21:53
donghoondonghoon
183
answered Dec 15 '18 at 21:53
donghoondonghoon
183
183
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1100467%2fre-what-is-dhpcd-command-and-how-to-disable-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Did you install a dhcp server?
– George Udosen
Dec 12 '18 at 21:48
1
Hi donghoon. What ist the output of :
sudo su testand thenwhicht .dhpcd?– Boba Fit
Dec 12 '18 at 21:58
Some sites seems to list that as a bad guy process.
– Doug Smythies
Dec 12 '18 at 21:59
1
Looks suspect - the name and resources are wrong. Could be a classic cryptominer (or other malware) masquerading as a system process. The REAL dhcp is a teeny little fellow that merely manages local IPV4 addresses. You can avoid malware like this by practicing safe computing habits. Removing it might be easy...or hard.
– user535733
Dec 12 '18 at 23:11
1
I searched on google with
linux ".dhpcd". I think it is malware and it is very new.– Doug Smythies
Dec 14 '18 at 15:31