Strane process running - high load and SSH login not possible

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
last root -n 10

That what the process is and when it's running I can't login to SSH.
I need to kill the process in WHM first and then I can get in.
Also it uses around 25% of the cpu.

I do not use this command.
It started a week ago - maybe right after I installed rkhunter.
But I don't run rkhunter in cron but still this command shows up daily.

Anyone know what it can be ?

Thanks!
 

Tagor

Well-Known Member
Mar 6, 2004
193
0
166
You first need shell access before you can do anything. 'last' just shows the last logins.
 

xerophyte

Well-Known Member
Mar 16, 2003
215
0
166
Canada
man last :
last, lastb - show listing of last logged in users
-num This is a count telling last how many lines to show.


Looks like you have some root login notification script install on the server which screwing stuff take look at your /root/ and see if there any root login notification script there. if so remove it or /etc/profile

hope that helps
 

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
xerophyte said:
Looks like you have some root login notification script install on the server which screwing stuff take look at your /root/ and see if there any root login notification script there. if so remove it or /etc/profile

hope that helps
I did install chkrootkit same day as well as rkhunter.
I think it might be the lastlog function or something with chkrootkit.
But I do not have any crontabs on it so the it shouldn't run at all...
Maybe it's been working in silence mode, sniffing or something..

Well I deleted a bunch of stuff now so hopefully it will not start again.

Thanks!