What are these processes?

Michael Hipp Michael at hipp.com
Tue Nov 17 07:24:26 PST 2009 

Kurt Wall wrote:
> ----- Original Message ----- From: "Michael Hipp" <Michael at hipp.com>
>>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>  8116 root      20   0  3180  740  636 R 33.2  0.0   1683:15 3
>>  8267 root      20   0  3180  740  636 R 33.2  0.0   1677:59 3
>> 23476 root      20   0  3180  744  636 R 32.9  0.0 334:25.58 3
>> 12887 michael   20   0  2416 1160  876 R  0.3  0.0   0:00.29 top
>>
>> The system was running painfully slow. After I rebooted they do not 
>> seem to have reappeared.
> 
> Looks like ownage to me. I'd wipe this system clean and start over.

Thanks to all who replied, including those that replied privately. I've tried 
some tools to check for rootkits and everything appears clean, including 
looking at the places suggested by David Bandel. Don't see anything amiss in 
the auth logs and this system has minimal Internet exposure.

Anyways, this morning a couple of the 3s are back but not as badly; a bit more 
digging shows this weirdness:

# top -b
  5611 root      20   0  3180  748  644 S  0.0  0.0   0:10.57 3
11245 root      20   0  3184  820  656 S  0.0  0.0   0:09.86 3

# top -b -c
  5611 root      20   0  3180  748  644 S  0.0  0.0   0:10.58 hamachi -c 
/etc/hamachi go-online MyNet
11245 root      20   0  3184  820  656 S  0.0  0.0   0:09.87 hamachi -c 
/etc/hamachi start

# ps -ef
root      5611  5550  0 Nov16 ?        00:00:10 hamachi -c /etc/hamachi 
go-online MyNet
root     11245     1  0 Nov16 ?        00:00:09 hamachi -c /etc/hamachi start

It appears the '3' processes are actually the hamachi VPN. Hamachi hasn't been 
working worth a flip on all my boxes lately (some Linux, some Windows) so I've 
been in process of ditching it for OpenVPN. Looked at one other box and hamachi 
shows up as '3' there also depending on which option is given to top. In ps it 
looks normal.

Also, took the machine offline for a while and ran memtest on it and looks like 
I may have some hard memory errors. Sigh.

So anyways, as soon as I can get some key stuff moved off this box I'm going to 
wipe it just to be sure. And fix the memory.

Thanks,
Michael

More information about the Linux-users mailing list