Cryptomining Malware - Ubuntu - Stratum tcp

I had same problem, and I've narrowed down, hackers were able to intrude in some old and non-upgraded, wordpress.

Probably the best and fastest way to see who is consuming how much time on your Ubuntu 16.04.3 server is to install htop

sudo apt install htop

then type sudo htop

It will show you under which username is eating how much CPU

And if you identify some process that's eating much cpu, you can check it by lsof -p <pid>

lsof stands for list open files, to see it's full set of commands, type man lsof

However, it all depends upon how is your PHP being executed, and what hackers actually have done to your system.

Another good way to see, what is Apache exactly doing is to enable mod_status

Usually, on newer ubuntu's it's:

sudo a2enmod status

And after that add this to your 000-default.conf website:

<Location /server-status>
    SetHandler server-status
    Require ip 127.0.0.1
    Require ip ::1
    Require ip X.X.X.X
</Location>

Replace X with your actual IP...

Or you can access it with lync for example from your server's console like

lynx 127.0.0.1/server-status

And the output should look like:

On my other post https://security.stackexchange.com/questions/172396/some-bot-keeps-posting-this-to-my-server/172571 you can see how to improve security of your server and prevent such attacks.