| Linode Forum https://forum.linode.com/ |
|
| www-data user process named ./stealth consumes 90+% cpu https://forum.linode.com/viewtopic.php?f=19&t=8235 |
Page 1 of 1 |
| Author: | timinho [ Thu Dec 29, 2011 7:12 pm ] |
| Post subject: | www-data user process named ./stealth consumes 90+% cpu |
It happens once a day that a process named ./stealth (running as my apache user www-data), which is unknown to me and I cannot find on my Lucid 10.04 system via locate, consumes over 90% cpu. What could this be? Network bandwidth peaks to 15mbit/sec, is this a dos attack? Any help on how to investigate this would be much appreciated! Best, Tim |
|
| Author: | AviMarcus [ Thu Dec 29, 2011 7:23 pm ] |
| Post subject: | |
On IRC: EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz. @heckman>: It compromises ALL THE THINGS |
|
| Author: | theckman [ Thu Dec 29, 2011 7:29 pm ] |
| Post subject: | |
AviMarcus wrote: On IRC: EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz. @heckman>: It compromises ALL THE THINGS Running this command may help you track it down: Code: ps auxf However, you should consider this Linode compromised and that it's no longer safe to store any data or use it for anything. Your best option is to back up your data and redeploy. One way to do this would be to shrink your disk images and deploy a new distro alongside. You can then copy the files over and delete the old disk image. I would also recommend trying to determine how the compromise happened in the process of moving data to prevent it from happening again. -Tim Edit: Make sure you only copy files over that you know where not the root of the problem. Here's more conversation from IRC: Quote: Dec29 18:31:18 < EugeneKay> The forum post I read traced it down to something called Zen
Dec29 18:31:29 < rnowak> the shopping cart? Dec29 18:31:29 < EugeneKay> Which is any of a dozen PHP packages Dec29 18:31:40 < EugeneKay> Didn't say. Dec29 18:31:46 < EugeneKay> But probably |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|