This is not really a question but more of a request.
I've noticed a few questions about compromised servers running malware (usually cryptocurrency miners) but also other things.
When answering questions like this, I personally believe that it is our responsibility to to point the user to the answers to the "How do I deal with a compromised server?"-question over at ServerFault.
It may be interesting to figure out what the malware is, or what commands a hacker typed in, or any number of similar interesting things, but at the same time, we are dealing with a victim of an ongoing crime, and they should get the best possible help from us that we can give. That help should at least include linking to the ServerFault question that I linked to above (unless you're a security expert that can write a better answer than Rob Moir's top answer).
We can not assume that the person asking is an hobbyist who just happens to run Linux on his home computer and that the potential fallout is negligible. It may be that they are at a company whose servers just got hacked, or that their home-office machine is being used as a jump host to access others.
I tried to answer "How can I kill minerd malware on an AWS EC2 instance? (compromised server)" to the best of my ability a little while back (and "Need help understanding suspicious SSH commands" today), while also noting that as an admin or user of a compromised server, one may be legally obliged to report incidents within a certain time-frame (depending on where in the world one operates). This is, I believe, not covered by the SeverFault answers.
I'm not a security expert, and odds are that you aren't one either. Read the ServerFault question and the top answers and help users who finds themselves with these kinds of security issues by alerting them to the potential severity and to the advice in the answers (by linking to the question ideally, not by retelling).
I know that I can't tell people how to answer questions here, but I just thought I'd mention this anyway.