Am 04.10.2014 um 03:34 schrieb Tim Dunphy:
Hey all,
I noticed that my puppet server running CentOS 6.5 was acting a little pokey.
So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high!
[root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52
So then I had a look at top and saw a LOT of processes by the name of smartvd.
7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd
So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it?
Also curious what whitptabil is and how to get rid of it.
[ ... ]
Really really curious here, guys. What do y'all think???
Thanks Tim
Take the system off. Save the content for later forensics and then reinstall the system from scratch. What's running is malware
http://v.virscan.org/Backdoor.Linux.Mayday.f.html
It is typical for such backdoors to camouflage as programs with a known name: whitptabil versus whiptail and smarvtd versus smartd.
Alexander