suspicious processes question

danrussell

• July 15, 2015 05:55

Hello, While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server. =================== top - 11:53:20 up 92 days, 5:55, 1 user, load average: 1.68, 1.64, 2.14 Tasks: 518 total, 1 running, 517 sleeping, 0 stopped, 0 zombie Cpu(s): 1.8%us, 0.5%sy, 0.0%ni, 97.5%id, 0.2%wa, 0.0%hi, 0.1%si, 0.0%st Mem: 16315824k total, 13999736k used, 2316088k free, 857304k buffers Swap: 8191996k total, 2789568k used, 5402428k free, 10650064k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 15529 dreadkar 20 0 43524 5728 1336 S 17.3 0.0 9:44.79 mail 15571 dreadkar 20 0 43988 6052 1336 S 3.0 0.0 9:57.99 mail 487 dreadkar 20 0 59140 3132 816 S 0.5 0.0 0:00.13 init ===================

• 

  24x7server

  • July 15, 2015 14:01

  Hello, Can you please try to check this user entry in passwd file.
  grep dreadka /etc/passwd
  Also, Please try to find out which user us running this process through that process ID.

  0
• 

  quizknows

  • July 15, 2015 20:22

  In addition to the good advice above from 24x7 server, you can gather more information about the process with lsof such as:
  lsof -p 15529
  This could get you the "working directory" (or CWD) of the process(es) to investigate further. The process names are likely spoofed and things like 'init', 'mail', 'httpd', etc. running as the wrong user are generally malicious perl processes with the process name spoofed.

  0
• 

  cPanelMichael

  • July 17, 2015 14:35

  While monitoring I found below processes running on server. Are those any suspicious processes? "dreadkar" user doesn't exist on server.

  
  Hello :) The processes do not look legitimate, so you may want to consult with a qualified system administrator or security specialist if you are not comfortable investigating this type of issue on your own. Thank you.

  0

Please sign in to leave a comment.