My vps was confirmed hacked, Ubuntu 16.04 LTS (Thanks for answering in my post My previous post).
Now I have created new vps and move my site to new VPS.
But I don't delete my hacked vps, i preserve it to learn why i can got hacked.
My Question is : where is file/folder execute by python3 /~.pid -x -b ?
Thanks for your help.
It's a file located at / (root) named ~.pid.
To create the same file in my root directory:
$ cd /
$ sudo touch '~.pid'
And now let us to look for it at /:
$ find / -maxdepth 1 | grep pid -C 3
/srv
/sbin
/dev
/~.pid <<< Here it is
/libx32
/lost+found
/proc
Write something within it:
$ echo hello | sudo tee \~.pid
hello
Look what is inside:
$ cat \~.pid
hello
And what is the type of file:
$ file /~.pid # Absolute path
/~.pid: ASCII text
$ file ~.pid # Relative path
~.pid: ASCII text
If you can't state the file using ls or anything else so it has been removed. You can create a file, run it and then remove it. There is still a version of that file in the memory (RAM) being used by python in your case but it has been removed from filesystem so you can't find it.
If you kill the process it should go away. however it depends on the malware. It might get recreated by another process.