The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Weird /usr/bin/yes started by cPanel

Discussion in 'General Discussion' started by hicom, Aug 18, 2004.

  1. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    I've noticed recently, everytime around noon time, I see 'yes' process running as root on the system.

    Here is what I have:

    last pid: 60115; load averages: 1.13, 0.44, 0.25 up 0+20:10:01 11:54:19
    64 processes: 3 running, 60 sleeping, 1 zombie
    CPU states: 96.9% user, 0.0% nice, 1.6% system, 1.6% interrupt, 0.0% idle
    Mem: 408M Active, 374M Inact, 171M Wired, 41M Cache, 112M Buf, 9768K Free
    Swap: 2038M Total, 356K Used, 2038M Free

    PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
    60051 root 47 0 892K 388K RUN 0:16 42.12% 34.81% yes
    60054 root 47 0 892K 388K RUN 0:15 40.82% 33.74% yes

    impala# ps 60051
    PID TT STAT TIME COMMAND
    60051 ?? R 0:22.91 yes

    impala# lsof -p 60051
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    yes 60054 root cwd VDIR 157,131076 2560 7772257 /usr/local/cpanel/whostmgr/docroot
    yes 60054 root rtd VDIR 157,131072 1024 2 /
    yes 60054 root txt VREG 157,131076 3052 8493731 /usr/bin/yes
    yes 60054 root txt VREG 157,131076 85908 8988996 /usr/libexec/ld-elf.so.1
    yes 60054 root txt VREG 157,131076 580636 2642649 /usr/lib/libc.so.4
    yes 60054 root 0r VCHR 2,2 0t0 1164 /dev/null
    yes 60054 root 1u PIPE 0xe7a12160 16384
    yes 60054 root 2w VREG 157,131076 322 7752244 /usr/local/cpanel/logs/error_log

    impala# md5 /usr/bin/yes
    MD5 (/usr/bin/yes) = 376e7240897097bbce90b19a34835d35

    Apparently this is being started by cPanel, but why and how ? It also consumes a lot of resource.

    Any input on this ? I've already scanned the system for possible torjans and did vuln checks everything was OK. so I know it is not an infection I have.

    This is FreeBSD 4.10 with cPanel 9.4 Stable Release

    Thanks,

    Tamouh
     
    #1 hicom, Aug 18, 2004
    Last edited: Aug 18, 2004
  2. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    Same here.

    bash-2.05b# uname -v
    FreeBSD 4.9-RELEASE #0: Sat Jul 31 12:08:06 EDT 2004
    bash-2.05b# ls -lsao /usr/bin/yes
    4 -r-xr-xr-x 1 root wheel - 3052 Oct 27 2003 /usr/bin/yes
    bash-2.05b# ps -aux | grep yes
    bash-2.05b# grep yes /var/cron/tabs/*
    bash-2.05b# man yes

    YES(1) FreeBSD General Commands Manual YES(1)

    NAME
    yes -- be repetitively affirmative

    SYNOPSIS
    yes [expletive]

    DESCRIPTION
    The yes utility outputs expletive, or, by default, ``y'', forever.

    HISTORY
    The yes command appeared in Version 32V AT&T UNIX.

    FreeBSD 4.9 June 6, 1993 FreeBSD 4.9

    bash-2.05b# md5 /usr/bin/yes
    MD5 (/usr/bin/yes) = ff2c59b22546debccc865927d41d896c
    bash-2.05b#

    Does your /usr/bin/yes match?

    Thanks
    -Seth
     
  3. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    cPanel uses it for something ,I dont' recall what but I do know I confirmed with Nick that it was being used by cPanel.
     
  4. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    This is the first time however I see it running. I've monitored the server before, and never seen 'yes' like this.

    I actually thought this is an intrusion attempt and already rebuilt the server!! grrrr...

    Beside, if I don't kill the process, it keeps running away with the system resources. Is this a bug ?
     
Loading...

Share This Page