Hello. Yesterday, my boss asked me to take a look at our Unraid server as the CPU was running quite hot. I logged in over SSH to look at htop and all our 24 of our CPU cores were absolutely pinned at 100%. The process using the most CPU turns out to be "xmrig" which I understand is a Monero cryptominer. Since I killed the process, I've been having a hard time locating the source. My understanding is that either our server is compromised, or one of our Docker plugins is infected. The process has not started again since I killed it yesterday.
I've looked through the syslog and didn't see anything suspicious, although it only goes back 84 days which is the last time the server was restarted. I'm the only Linux guy here at the office but I'm not very familiar with the s6 init system or Unraid in general, so looking around as root has yielded no findings.
I've noticed in other threads that the diagnostic .zip file is often requested to look through. This is our main company server that runs our DC, file server, and WDS, so I'd prefer to only upload specific log files if I possibly can.
I'm thinking it's one of our Docker containers but can't be sure. Maybe someone can point me in the right direction. Thanks a lot!
syslog.txt