The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suspicious processes question

Discussion in 'Security' started by danrussell, Jul 15, 2015.

  1. danrussell

    danrussell Well-Known Member

    Joined:
    Nov 5, 2014
    Messages:
    60
    Likes Received:
    3
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello,

    While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.

    ===================
    top - 11:53:20 up 92 days, 5:55, 1 user, load average: 1.68, 1.64, 2.14
    Tasks: 518 total, 1 running, 517 sleeping, 0 stopped, 0 zombie
    Cpu(s): 1.8%us, 0.5%sy, 0.0%ni, 97.5%id, 0.2%wa, 0.0%hi, 0.1%si, 0.0%st
    Mem: 16315824k total, 13999736k used, 2316088k free, 857304k buffers
    Swap: 8191996k total, 2789568k used, 5402428k free, 10650064k cached

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    15529 dreadkar 20 0 43524 5728 1336 S 17.3 0.0 9:44.79 mail
    15571 dreadkar 20 0 43988 6052 1336 S 3.0 0.0 9:57.99 mail
    487 dreadkar 20 0 59140 3132 816 S 0.5 0.0 0:00.13 init
    ===================
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Can you please try to check this user entry in passwd file.

    Code:
    grep dreadka /etc/passwd 
    Also, Please try to find out which user us running this process through that process ID.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    In addition to the good advice above from 24x7 server, you can gather more information about the process with lsof such as:

    Code:
    lsof -p 15529
    
    This could get you the "working directory" (or CWD) of the process(es) to investigate further. The process names are likely spoofed and things like 'init', 'mail', 'httpd', etc. running as the wrong user are generally malicious perl processes with the process name spoofed.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,834
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The processes do not look legitimate, so you may want to consult with a qualified system administrator or security specialist if you are not comfortable investigating this type of issue on your own.

    Thank you.
     
Loading...

Share This Page