Connect inadvertently found my take is a cloud in the mining machine xmrig poison, hey! !
Not eradicated last time, come on!
See if you have set a timed task: I should pay attention to it. When I started crontab, I did not specify a user (I logged in as an ubuntu user). I did not see this task. I thought there was no problem. The same is true for current user tasks and editing.
Sure enough, I downloaded a script to execute!
open to take a look
You are the one! This script is also relatively simple to understand the general meaning: clear the local virus, and then download it from the remote to execute
Check 185.10.68.115 
An Icelandic server provider!
It turned out that someone was recruited in 18 years
I'll submit it again, haha! !
There are also some Chinese servers. They don’t know that they are really doing bad things, or they are lying down. . .
See a telecommunications, honeypot?
It's a bit far away, and I just continued.
The next step is to eliminate the virus:
Delete the scheduled task first, this is the foundation of its "resurrection"!
Save the file after deleting,
Service crond restart
Clear the virus file:
Kill the process:
sudo kill -9 28749
Finished! See if I can run again tomorrow, haha! !
Supplement: I accidentally discovered that one of my cloud servers was poisoned by the miner xmrig, continue! !