What are these processes?

[David A. Bandel]

On Mon, Nov 16, 2009 at 14:01, Michael Hipp <Michael at hipp.com> wrote:
> Nothing that I can find. After a reboot all seems well.
>
> Odd thing is I couldn't find these processes in 'ps -ef'.
>
> Michael
>
>
> Lonni J Friedman wrote:
>>
>> No clue, but it looks highly suspicious to me.  Do you have any
>> binaries on the system named '3' ?
>>
>> On Mon, Nov 16, 2009 at 9:15 AM, Michael Hipp <Michael at hipp.com> wrote:
>>>
>>> Anyone have any idea what these "3" might be?
>>>
>>>
>>>  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>>  8116 root      20   0  3180  740  636 R 33.2  0.0   1683:15 3
>>>  8267 root      20   0  3180  740  636 R 33.2  0.0   1677:59 3
>>> 23476 root      20   0  3180  744  636 R 32.9  0.0 334:25.58 3
>>> 12887 michael   20   0  2416 1160  876 R  0.3  0.0   0:00.29 top
>>>
>>> The system was running painfully slow. After I rebooted they do not seem
>>> to
>>> have reappeared.

I suspect you've been owned.  With no
find / -name 3
you will find normal entries in /usr/share/terminfo, /dev/.udev/watch,
a large number in /proc, but that's it.  This binary may not even
exist, having been erased upon startup.  Rebooting was the worst thing
you could do before locating this trajesty.  But don't worry, it'll be
back.  You need to look for carefully hidden directories (like
<space><space>.. or with only one dot) and the like.  Check in /dev,
/tmp, /var/tmp, and other likely locations (like /root).
Since this program was running as root, you have a real problem if
it's a scanner.  Check your auth.log to see who's been in from where.
I'll bet on a foreign IP probably several months ago.  You'll also
almost certainly have a cron entry to restart this, so check your
crontabs (both the user crontab and the system's /etc/crontab
entries).

Best of luck,

David A. Bandel
-- 
Focus on the dream, not the competition.
            - Nemesis Air Racing Team motto
Visit my blog at: http://www.pananix.com/cgi-bin/blosxom