Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Weird /usr/bin/yes started by cPanel

Discussion in 'General Discussion' started by hicom, Aug 18, 2004.

  1. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    281
    Likes Received:
    2
    Trophy Points:
    168
    I've noticed recently, everytime around noon time, I see 'yes' process running as root on the system.

    Here is what I have:

    last pid: 60115; load averages: 1.13, 0.44, 0.25 up 0+20:10:01 11:54:19
    64 processes: 3 running, 60 sleeping, 1 zombie
    CPU states: 96.9% user, 0.0% nice, 1.6% system, 1.6% interrupt, 0.0% idle
    Mem: 408M Active, 374M Inact, 171M Wired, 41M Cache, 112M Buf, 9768K Free
    Swap: 2038M Total, 356K Used, 2038M Free

    PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
    60051 root 47 0 892K 388K RUN 0:16 42.12% 34.81% yes
    60054 root 47 0 892K 388K RUN 0:15 40.82% 33.74% yes

    impala# ps 60051
    PID TT STAT TIME COMMAND
    60051 ?? R 0:22.91 yes

    impala# lsof -p 60051
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    yes 60054 root cwd VDIR 157,131076 2560 7772257 /usr/local/cpanel/whostmgr/docroot
    yes 60054 root rtd VDIR 157,131072 1024 2 /
    yes 60054 root txt VREG 157,131076 3052 8493731 /usr/bin/yes
    yes 60054 root txt VREG 157,131076 85908 8988996 /usr/libexec/ld-elf.so.1
    yes 60054 root txt VREG 157,131076 580636 2642649 /usr/lib/libc.so.4
    yes 60054 root 0r VCHR 2,2 0t0 1164 /dev/null
    yes 60054 root 1u PIPE 0xe7a12160 16384
    yes 60054 root 2w VREG 157,131076 322 7752244 /usr/local/cpanel/logs/error_log

    impala# md5 /usr/bin/yes
    MD5 (/usr/bin/yes) = 376e7240897097bbce90b19a34835d35

    Apparently this is being started by cPanel, but why and how ? It also consumes a lot of resource.

    Any input on this ? I've already scanned the system for possible torjans and did vuln checks everything was OK. so I know it is not an infection I have.

    This is FreeBSD 4.10 with cPanel 9.4 Stable Release

    Thanks,

    Tamouh
     
    #1 hicom, Aug 18, 2004
    Last edited: Aug 18, 2004
  2. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Columbus, OH
    Same here.

    bash-2.05b# uname -v
    FreeBSD 4.9-RELEASE #0: Sat Jul 31 12:08:06 EDT 2004
    bash-2.05b# ls -lsao /usr/bin/yes
    4 -r-xr-xr-x 1 root wheel - 3052 Oct 27 2003 /usr/bin/yes
    bash-2.05b# ps -aux | grep yes
    bash-2.05b# grep yes /var/cron/tabs/*
    bash-2.05b# man yes

    YES(1) FreeBSD General Commands Manual YES(1)

    NAME
    yes -- be repetitively affirmative

    SYNOPSIS
    yes [expletive]

    DESCRIPTION
    The yes utility outputs expletive, or, by default, ``y'', forever.

    HISTORY
    The yes command appeared in Version 32V AT&T UNIX.

    FreeBSD 4.9 June 6, 1993 FreeBSD 4.9

    bash-2.05b# md5 /usr/bin/yes
    MD5 (/usr/bin/yes) = ff2c59b22546debccc865927d41d896c
    bash-2.05b#

    Does your /usr/bin/yes match?

    Thanks
    -Seth
     
  3. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    168
    cPanel uses it for something ,I dont' recall what but I do know I confirmed with Nick that it was being used by cPanel.
     
  4. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    281
    Likes Received:
    2
    Trophy Points:
    168
    This is the first time however I see it running. I've monitored the server before, and never seen 'yes' like this.

    I actually thought this is an intrusion attempt and already rebuilt the server!! grrrr...

    Beside, if I don't kill the process, it keeps running away with the system resources. Is this a bug ?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice