I noticed today that my server was very slow. Looking at the running processes, I noted that process
000000 were going crazy.
wanwakuang on Google did not yield much results, but this article on HackerNews was very helpful: https://translate.google.com/translate?sl=auto&tl=en&u=http://hackernews.cc/archives/34789
Appearently wanwakuang is a mining process.
However, I could not find the binary on my system. My server is only running Docker containers, so probably one of the containers was at fault.
To find the docker container with the exploit, I executed the command:
$ find /var/lib/docker -type f -name wanwakuang /var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/diff/root/.configrc/a/wanwakuang /var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/diff/tmp/.W10-unix/.rsync/a/wanwakuang /var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/merged/root/.configrc/a/wanwakuang /var/lib/docker/overlay2/1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf/merged/tmp/.W10-unix/.rsync/a/wanwakuang
To find out which Docker container was attached to this overlay, I issued this command I found on stackoverflow:
$ docker inspect $(docker ps -qa) \ | jq -r 'map([.Name, .GraphDriver.Data.MergedDir]) \ | . | "(.)\t(.)"' \ | grep '1752e86653539d82b50cf24c3d3f69b203fe059ca1650447016ca69033d468bf'
Knowing the name I could terminate the container. It was being used for SSH and could be removed.