Process with weird random name consuming significant network and CPU resources. Is someone hacking me?

In a VM on a cloud provider, I'm seeing a process with weird random name. It consumes significant network and CPU resources.

Here's how the process looks like from pstree view:

systemd(1)───eyshcjdmzg(37775)─┬─{eyshcjdmzg}(37782)
                               ├─{eyshcjdmzg}(37783)
                               └─{eyshcjdmzg}(37784)

I attached to the process using strace -p PID. Here's the output I've got: https://gist.github.com/gmile/eb34d262012afeea82af1c21713b1be9.

Killing the process does not work. It is somehow (via systemd?) resurrected. Here's how it looks from systemd point of view (note the weird IP address at the bottom):

$ systemctl status 37775
● session-60.scope - Session 60 of user root
   Loaded: loaded
Transient: yes
  Drop-In: /run/systemd/system/session-60.scope.d
           └─50-After-systemd-logind\x2eservice.conf, 50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf, 50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
   Active: active (abandoned) since Tue 2018-03-06 10:42:51 EET; 1 day 1h ago
    Tasks: 14
   Memory: 155.4M
      CPU: 18h 56min 4.266s
   CGroup: /user.slice/user-0.slice/session-60.scope
           ├─37775 cat resolv.conf
           ├─48798 cd /etc
           ├─48799 sh
           ├─48804 who
           ├─48806 ifconfig eth0
           ├─48807 netstat -an
           ├─48825 cd /etc
           ├─48828 id
           ├─48831 ps -ef
           ├─48833 grep "A"
           └─48834 whoami

Mar 06 10:42:51 k8s-master systemd[1]: Started Session 60 of user root.
Mar 06 10:43:27 k8s-master sshd[37594]: Received disconnect from 23.27.74.92 port 59964:11:
Mar 06 10:43:27 k8s-master sshd[37594]: Disconnected from 23.27.74.92 port 59964
Mar 06 10:43:27 k8s-master sshd[37594]: pam_unix(sshd:session): session closed for user root

What is going on?!

You'd think they'd bother to randomize the name on each infected system, but apparently not.

@immibis It may be an abbreviation, meaningful only to the authors. the DMZ bit is a real acronym. sh could mean "shell" and ey may be "eye" without the "e", but I'm just speculating.

@The-VinhVO Really rolls off the tongue

If you serve dutch customers also, and you store personal information(ip adresses, emails, names, shopping list, credit card info, passwords) you need to report it to datalekken.autoriteitpersoonsgegevens.nl/actionpage?0

@DarrenH I'm assuming that it would cover "data that can be used to identify a person" etc. Logs are usually not seen as this type of data AFAIK, but it may be different if an IP address is explicitly stored in a database as part of an account record.

That makes sense. Thanks for the clarification

In the netherlands we are required to mask all octets before sending to google because the entire range falls under personal information, because it can be crosschecked with other records. A hacker could crosscheck with other logs to track your activities. So yes, its full persal information like an actual adress