What are these processes?

Bill Campbell linux-sxs at celestial.com
Tue Nov 17 09:41:06 PST 2009 

On Tue, Nov 17, 2009, Michael Hipp wrote:
> Kurt Wall wrote:
>> ----- Original Message ----- From: "Michael Hipp" <Michael at hipp.com>
>>>   PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
>>>  8116 root      20   0  3180  740  636 R 33.2  0.0   1683:15 3
>>>  8267 root      20   0  3180  740  636 R 33.2  0.0   1677:59 3
>>> 23476 root      20   0  3180  744  636 R 32.9  0.0 334:25.58 3
>>> 12887 michael   20   0  2416 1160  876 R  0.3  0.0   0:00.29 top
>>>
>>> The system was running painfully slow. After I rebooted they do not  
>>> seem to have reappeared.
>>
>> Looks like ownage to me. I'd wipe this system clean and start over.
>
> Thanks to all who replied, including those that replied privately. I've 
> tried some tools to check for rootkits and everything appears clean, 
> including looking at the places suggested by David Bandel. Don't see 
> anything amiss in the auth logs and this system has minimal Internet 
> exposure.
>
> Anyways, this morning a couple of the 3s are back but not as badly; a bit 
> more digging shows this weirdness:

Good thing you figured it out.

One thing I forgot to mention is to use the ``lsof'' program to
see what a program or process is doing, particularly the option
that looks at a running process, ``lsof -p pid''.  This will
often show the hidden directories where cracker's programs live.

Using ``lsof -n -i | less'' and looking for suspicions
connections is also frequently useful to identify sites that are
doing nasties.

If one uses webmin, be sure to restrict access by CIDR or network
addresses, preferably to an internal LAN as this is a frequent
vector, particularly where passwords may be weak.

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186  Skype: jwccsllc (206) 855-5792

Public spending isnt the same as private spending. It is usually
spending for things that people wouldnt buy if they had a choice.
   -- Bill Bonner http://www.lewrockwell.com/bonner/bonner413.html

More information about the Linux-users mailing list