[CentOS] massive load caused by smartvd

Sat Oct 4 01:58:00 UTC 2014
jwyeth.arch at gmail.com <jwyeth.arch at gmail.com>

Also please note the spelling of the first process. Appears your last grep was for "smartvd" when it is actually "smarvtd"

—
Sent from Mailbox

On Fri, Oct 3, 2014 at 9:53 PM, null <jwyeth.arch at gmail.com> wrote:

> A quick Google for "smarvtd" returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c?
>> Sent from Mailbox
> On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>> Hey all,
>>  I noticed that my puppet server running CentOS 6.5 was acting a little
>> pokey.
>>   So I logged in and did what well just about anyone would've done. And ran
>> the uptime command to have a look at the load. And it was astonishingly
>> high!
>> [root at puppet:~] #uptime
>>  21:28:01 up  1:26,  3 users,  load average: 107.37, 72.06, 75.52
>> So then I had a look at top and saw a LOT of processes by the name of
>> smartvd.
>>  7332 root      20   0  423m 1808    0 S  5.6  0.1   0:49.30 smarvtd
>>  5469 root      20   0  423m 1804    0 S  4.6  0.1   0:49.55 smarvtd
>>  2042 root      20   0  423m 1804    0 S  3.7  0.1   0:49.66 smarvtd
>>  2421 root      20   0  423m 1808    0 S  3.7  0.1   0:47.62 smarvtd
>>  3081 root      20   0  423m 1808    0 S  3.7  0.1   0:47.08 smarvtd
>>  3366 root      20   0  423m 1804    0 S  3.7  0.1   0:47.87 smarvtd
>>  3568 root      20   0  423m 1808    0 S  3.7  0.1   0:48.94 smarvtd
>>  3971 root      20   0  423m 1812    0 S  3.7  0.1   0:49.18 smarvtd
>>  4264 root      20   0  423m 1812    0 S  3.7  0.1   0:48.33 smarvtd
>>  4585 root      20   0  423m 1812    0 S  3.7  0.1   0:48.44 smarvtd
>>  5277 root      20   0  423m 1808    0 S  3.7  0.1   0:48.13 smarvtd
>>  6160 root      20   0  423m 1812    0 S  3.7  0.1   0:49.33 smarvtd
>>  6441 root      20   0  423m 1808    0 S  3.7  0.1   0:48.17 smarvtd
>>  6746 root      20   0  423m 1804    0 S  3.7  0.1   0:49.60 smarvtd
>>  7612 root      20   0  423m 1812    0 S  3.7  0.1   0:48.97 smarvtd
>>  7919 root      20   0  423m 1808    0 S  3.7  0.1   0:47.33 smarvtd
>>  8202 root      20   0  423m 1812    0 S  3.7  0.1   0:49.67 smarvtd
>> 26526 root      20   0  423m 1812    0 S  3.7  0.1   1:22.17 whitptabil
>>  2747 root      20   0  423m 1812    0 S  2.8  0.1   0:48.41 smarvtd
>>  4952 root      20   0  423m 1812    0 S  2.8  0.1   0:48.43 smarvtd
>>  5878 root      20   0  423m 1808    0 S  2.8  0.1   0:48.02 smarvtd
>>  7048 root      20   0  423m 1808    0 S  2.8  0.1   0:48.51 smarvtd
>> So my question to you is what the HELL is smartvd ? Seems like a virus to
>> me. And of course how do I get rid of it?
>> Also curious what whitptabil is and how to get rid of it.
>> I tried doing a search for both:
>> [root at puppet:~] #rpm -qa | grep smartvd
>> [root at puppet:~] #
>> [root at puppet:~] #find / -name smartvd
>> [root at puppet:~] #
>> [root at puppet:~] #rpm -qa | grep whitptabil
>> [root at puppet:~] #find / -name whitptabil
>> /etc/whitptabil
>> [root at puppet:~] #
>> At least I found a file associated with the latter.
>> Really really curious here, guys. What do y'all think???
>> Thanks
>> Tim
>> -- 
>> GPG me!!
>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos