The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Top Processes - Anyone know what this is?

Discussion in 'General Discussion' started by dgs, Sep 8, 2003.

  1. dgs

    dgs Member

    Joined:
    Sep 5, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I found this process running:
    modprobe -r ip_conntrack_irc

    It takes of 99% of CPU and seems to be causing FTP to hang when trying to connect to domains. Also, WHM News won't load when this happens.

    I've never seen this process before. It runs under root and won't trace. Doesn't want to "kill" either.

    Anyone seen this before or have any idea what it could be? I'm worried that since it ends with "irc" someone is possibly running an irc script? I don't allow irc on my servers.

    Any insight is appreciated!

    cPanel.net Support Ticket Number:
     
  2. JPmorgan

    JPmorgan BANNED

    Joined:
    Aug 19, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Well if its got irc in the word you better shut it down. Either you got hacked or somebody on your server installed it. Firewall? Where is your firewall? If you ad one they couldnt open an irc port to communicate. Food for thought!

    cPanel.net Support Ticket Number:
     
  3. dgs

    dgs Member

    Joined:
    Sep 5, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I've got APF firewall running. I was afraid of IRC but can't figure who on the server did it. Only way I was able to get rid of the process was by a reboot.

    cPanel.net Support Ticket Number:
     
  4. JPmorgan

    JPmorgan BANNED

    Joined:
    Aug 19, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Ye well chances are they they installed it in a hidden directory that you can't see. Why dont you run this command to find it.

    find / -name ".*" -print -xdev | cat -v

    Note this may bog your server down for awhile. Look for hidden directories anything that looks suspicious. Watch for suspcious directories in /tmp and possibly /dev. Then cd into the directory. It will start with a period eg, /dev/ida/.sys /tmp/.irc etc.

    cPanel.net Support Ticket Number:
     
  5. dgs

    dgs Member

    Joined:
    Sep 5, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for all your help. I really appreciate it. I did the above and the only thing I could see that may be suspicious is when I cd /dev, there are listed ircomm0, going thru 10.

    I didn't see any ./files when running the command above that were suspicious. Just wondering if the ircomm0-10 files are OK or since they begin with irc... they are doing something.

    cPanel.net Support Ticket Number:
     
  6. Wako

    Wako Member

    Joined:
    Jan 1, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I am having the similar problem as dgs. Anyone has idea what's that ....irc load about?

    cPanel.net Support Ticket Number:
     
  7. JPmorgan

    JPmorgan BANNED

    Joined:
    Aug 19, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    I don't have those files on my server. Not sure why you do. Have you checked your box using chkrootkit? You box could have been rooted rather than just one of your users installing IRC.


    cPanel.net Support Ticket Number:
     
    #7 JPmorgan, Sep 14, 2003
    Last edited: Sep 14, 2003
  8. Wako

    Wako Member

    Joined:
    Jan 1, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    I have ircomm0-15, I am wondering what they are too.
    Anyone knows?

    cPanel.net Support Ticket Number:
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    I've got them on a brand-spanking new RH install. They must be Redhat files, not related to dgs's problem. JPMorgan, what OS are you using?

    cPanel.net Support Ticket Number:
     
  10. dgs

    dgs Member

    Joined:
    Sep 5, 2002
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Ran checkrootkit and showed nothing. I haven't had the problem show up again since my reboot. Seems to disappeared after that. Changed my root password also after the reboot. Really a mystery that hopefully will not return!

    cPanel.net Support Ticket Number:
     
  11. JPmorgan

    JPmorgan BANNED

    Joined:
    Aug 19, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    RH 7.2 and 7.3 and i cant find those files anywhere on my boxes.

    cPanel.net Support Ticket Number:
     
  12. ricoche

    ricoche Well-Known Member

    Joined:
    Feb 7, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    modprobe-rip_conntrack_irc

    Hi there,

    I seem to be getting a similar error to above with an 85% CPU usage for the following: modprobe-rip_conntrack_irc

    Should I do a reboot? If so, is the roboot the one found in WHM "Graceful Server Reboot" or one that I have my datacenter do?

    I can't seem to either locate, view, or kill this process at all. In addition, I get several server high load warnings each day.

    Any help or suggestions would be greatly appreciated.

    Thank you,

    - Jim :)

    Ok, I just did a graceful server reboot and the modprobe seems to have disappeared. For how long I am not sure. I also changed my root password and checked my APF firewall. Everything looks good. We'll see what happens.
     
    #12 ricoche, Oct 31, 2003
    Last edited: Oct 31, 2003
  13. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    lsmod -- list loaded kernel modules
    rmmod ip_conntrack_irc -- unloads ip_conntrack_irc module
    lsmod -- sanity check, ip_conntrack_irc should be gone

    There is no need to reboot your server, what you really need to do is start using the "search" feature inside your web browser.

    Come on guys, you can start by putting this in your google search bar modprobe ip_conntrack_irc

    regards,
     
  14. ricoche

    ricoche Well-Known Member

    Joined:
    Feb 7, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for the information.

    And what you need to do too, is understand that people do use the search function on their web browsers very well. Things happen and sometimes you just either don't know if you have the right keyword or the right post. I spent nearly two hours over the course of a couple of days trying to research this topic.

    I don't appreciate your comment and it's people like you who need to take a break and chill out.

    Stop flaming people!

    Enough said.

    :mad:
     
  15. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    dude! there is no "flaming" here?

    This is basic knowledge and you need to understand how to run a server before attempting to go into the business.

    If your insolted by my post than I am right about you not knowing how to run a server.

    so I think that you need
    .

    regards,
     
  16. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    I agree with ricoche. I find your cocky attitude to be child's play.

    I actually think next time if you don't have any helpful comments that are in a more mature manner you should keep your remarks to yourself. Instead of trying to teach someone how to run a server, how about learn manners first.
     
  17. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    We are not mind readers and, if the poster doesnt' mention things they have done, how are we to know -- except by asking or pointing it out. This is what pagedeveloping did and people shouldn't be so thin-skinned to comments.

    The commands mentioned were right on track for the problem and, since no really seemed to know what "modprobe" is or does, was correct in mentioning a Web search for it.

    I think everyone should chill out. :D
     
  18. pagedeveloping

    pagedeveloping Well-Known Member

    Joined:
    Jun 11, 2003
    Messages:
    219
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Give me a break "cocky"

    Why haven't you posted any useful information?

    My last post should of been end of subject since I believe it has all ready been answered.

    If you people feel intimitaded because I suggested you use the search engine than you need to get out more often.

    Regards,
     
Loading...

Share This Page