suspicious processes question

[danrussell]

Hello,

While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.

===================
top - 11:53:20 up 92 days, 5:55, 1 user, load average: 1.68, 1.64, 2.14
Tasks: 518 total, 1 running, 517 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.8%us, 0.5%sy, 0.0%ni, 97.5%id, 0.2%wa, 0.0%hi, 0.1%si, 0.0%st
Mem: 16315824k total, 13999736k used, 2316088k free, 857304k buffers
Swap: 8191996k total, 2789568k used, 5402428k free, 10650064k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15529 dreadkar 20 0 43524 5728 1336 S 17.3 0.0 9:44.79 mail
15571 dreadkar 20 0 43988 6052 1336 S 3.0 0.0 9:57.99 mail
487 dreadkar 20 0 59140 3132 816 S 0.5 0.0 0:00.13 init
===================

 

[24x7server]

Hello,

Can you please try to check this user entry in passwd file.

grep dreadka /etc/passwd

Also, Please try to find out which user us running this process through that process ID.

 

[quizknows]

In addition to the good advice above from 24x7 server, you can gather more information about the process with lsof such as:

lsof -p 15529

This could get you the "working directory" (or CWD) of the process(es) to investigate further. The process names are likely spoofed and things like 'init', 'mail', 'httpd', etc. running as the wrong user are generally malicious perl processes with the process name spoofed.

 

[cPanelMichael]

While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.

Hello

The processes do not look legitimate, so you may want to consult with a qualified system administrator or security specialist if you are not comfortable investigating this type of issue on your own.

Thank you.