suspicious processes question

danrussell

Well-Known Member
Nov 5, 2014
61
4
58
cPanel Access Level
Root Administrator
Hello,

While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.

===================
top - 11:53:20 up 92 days, 5:55, 1 user, load average: 1.68, 1.64, 2.14
Tasks: 518 total, 1 running, 517 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.8%us, 0.5%sy, 0.0%ni, 97.5%id, 0.2%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 16315824k total, 13999736k used, 2316088k free, 857304k buffers
Swap: 8191996k total, 2789568k used, 5402428k free, 10650064k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15529 dreadkar 20 0 43524 5728 1336 S 17.3 0.0 9:44.79 mail
15571 dreadkar 20 0 43988 6052 1336 S 3.0 0.0 9:57.99 mail
487 dreadkar 20 0 59140 3132 816 S 0.5 0.0 0:00.13 init
===================
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello,

Can you please try to check this user entry in passwd file.

Code:
grep dreadka /etc/passwd
Also, Please try to find out which user us running this process through that process ID.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
In addition to the good advice above from 24x7 server, you can gather more information about the process with lsof such as:

Code:
lsof -p 15529
This could get you the "working directory" (or CWD) of the process(es) to investigate further. The process names are likely spoofed and things like 'init', 'mail', 'httpd', etc. running as the wrong user are generally malicious perl processes with the process name spoofed.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.
Hello :)

The processes do not look legitimate, so you may want to consult with a qualified system administrator or security specialist if you are not comfortable investigating this type of issue on your own.

Thank you.