Weird /usr/bin/yes started by cPanel

[hicom]

I've noticed recently, everytime around noon time, I see 'yes' process running as root on the system.

Here is what I have:

last pid: 60115; load averages: 1.13, 0.44, 0.25 up 0+20:10:01 11:54:19
64 processes: 3 running, 60 sleeping, 1 zombie
CPU states: 96.9% user, 0.0% nice, 1.6% system, 1.6% interrupt, 0.0% idle
Mem: 408M Active, 374M Inact, 171M Wired, 41M Cache, 112M Buf, 9768K Free
Swap: 2038M Total, 356K Used, 2038M Free

PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
60051 root 47 0 892K 388K RUN 0:16 42.12% 34.81% yes
60054 root 47 0 892K 388K RUN 0:15 40.82% 33.74% yes

impala# ps 60051
PID TT STAT TIME COMMAND
60051 ?? R 0:22.91 yes

impala# lsof -p 60051
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
yes 60054 root cwd VDIR 157,131076 2560 7772257 /usr/local/cpanel/whostmgr/docroot
yes 60054 root rtd VDIR 157,131072 1024 2 /
yes 60054 root txt VREG 157,131076 3052 8493731 /usr/bin/yes
yes 60054 root txt VREG 157,131076 85908 8988996 /usr/libexec/ld-elf.so.1
yes 60054 root txt VREG 157,131076 580636 2642649 /usr/lib/libc.so.4
yes 60054 root 0r VCHR 2,2 0t0 1164 /dev/null
yes 60054 root 1u PIPE 0xe7a12160 16384
yes 60054 root 2w VREG 157,131076 322 7752244 /usr/local/cpanel/logs/error_log

impala# md5 /usr/bin/yes
MD5 (/usr/bin/yes) = 376e7240897097bbce90b19a34835d35

Apparently this is being started by cPanel, but why and how ? It also consumes a lot of resource.

Any input on this ? I've already scanned the system for possible torjans and did vuln checks everything was OK. so I know it is not an infection I have.

This is FreeBSD 4.10 with cPanel 9.4 Stable Release

Thanks,

Tamouh

[sjackson909]

Same here.

bash-2.05b# uname -v
FreeBSD 4.9-RELEASE #0: Sat Jul 31 12:08:06 EDT 2004
bash-2.05b# ls -lsao /usr/bin/yes
4 -r-xr-xr-x 1 root wheel - 3052 Oct 27 2003 /usr/bin/yes
bash-2.05b# ps -aux | grep yes
bash-2.05b# grep yes /var/cron/tabs/*
bash-2.05b# man yes

YES(1) FreeBSD General Commands Manual YES(1)

NAME
yes -- be repetitively affirmative

SYNOPSIS
yes [expletive]

DESCRIPTION
The yes utility outputs expletive, or, by default, ``y'', forever.

HISTORY
The yes command appeared in Version 32V AT&T UNIX.

FreeBSD 4.9 June 6, 1993 FreeBSD 4.9

bash-2.05b# md5 /usr/bin/yes
MD5 (/usr/bin/yes) = ff2c59b22546debccc865927d41d896c
bash-2.05b#

Does your /usr/bin/yes match?

Thanks
-Seth

[nickn]

cPanel uses it for something ,I dont' recall what but I do know I confirmed with Nick that it was being used by cPanel.

[hicom]

This is the first time however I see it running. I've monitored the server before, and never seen 'yes' like this.

I actually thought this is an intrusion attempt and already rebuilt the server!! grrrr...

Beside, if I don't kill the process, it keeps running away with the system resources. Is this a bug ?