My first Linux Virus! (exciting!)

I've actually suspected something was up for a while now because the fan on my laptop starts spinning real hard, I start htop to see what's using my CPU and I see 4 processes called something like gvfsd or init or something that immediately disappear and then my fan goes back to normal.

So I had little luck searching around but finally stumbled across something here https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1766503 because one of the processes was naming itself ibus something or other. And someone in this bug list pointed to a couple of pages describing trojans
https://bugs.launchpad.net/ubuntu/+source/ibus/+bug/1766503 and
https://www.reddit.com/r/Addons4Kodi/comments/8eto78/people_using_unofficial_kodi_addon_on_linux/ which put me onto the bad files.

I found that the bad executables were in /tmp/ and when I tried to upload one of them to virustotal.com the file disappeared. So I looked and saw that it had simply recreated itself with a new name and made a copy of the executable and uploaded THAT to virustotal. Somewhere in this process I had installed ClamAV from the repo and ran it with no luck, I also scanned this executable that I copied and ClamAV said it was fine.
VirusTotal game me the following:

ClamAV didn't recognize this at VirusTotal either but several engines did. Since the virus runs out of /tmp and is apparently installed in my user directory I didn't think reinstalling the OS would do anything so I dug a little deeper and found a link to this github that listed the files/folders that contained the scripts that started virus program up https://github.com/Saren-Arterius/dbus-daemon-trojan-sample I found and deleted the files shown and edited that .bash* files that had scripts appended to the end of them that would execute the virus. 

All seems to be well now.

Oh I also did a file search in my home folder for any files matching the same size as the virus and found none remaining.

find ~/ -type f -size 3321680c -exec ls {} \;

So if you have a coin mining virus in Linux, this *might* help you.

.local/share/sddm/xorg-session.log is about 700GB in size!!!

Holy cow, my desktop running Manjaro FireFox suddenly crashed and wouldn't restart. I figured I'd reboot and I might as well do an update first. Well, "yay" said my home partition was out of space!?! I should have had hundreds of GB free. But df -h showed my home was 100% full.
A bit of investigation using du and I located the issue. In ~/.local/share/sddm was a single file named xorg-session.log which was around 700GB in size. I deleted the file but things were loathe to return to normal so I rebooted and all is fine and I have 758GB available again.

So what the heck? SDDM is the login manager, I don't understand why it has an xorg session log in the first place. But I began monitoring it with tail -f and saw nothing going into it.
After a few hours I looked again and WHOAH It's over a GB in size again!
The content looked normal but I realized with this much data there is bound to be some lines repeated many times so I ran

sort xorg-session.log | uniq -c | sort -nr | hea

To count the number of times each line in the file appears and output the top 10 lines in order.

1982576 print-layout-end
1982576 print-layout-begin
1954874 Deal0:
1922847 Deal1:
1660218 Deal2:
1565822 Deal4: |KH |8H |QS |4H |6H |7S |JS |5S |4H |6H
1261551 Deal3: |5H |KS |KH |2H |4H |TH |AH |JH |3H |AH
 775214 Off:
 721025 Deal3:
 416754 Deal4:

I don't know what's happening but it appears that when I print a document it floods a bunch of garbage into this log file. I'll have to reboot to investigate further as I deleted the 1GB file again and now there is no logging taking place.