Hey all,
I noticed that my puppet server running CentOS 6.5 was acting a little pokey.
So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high!
[root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52
So then I had a look at top and saw a LOT of processes by the name of smartvd.
7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd
So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it?
Also curious what whitptabil is and how to get rid of it.
I tried doing a search for both:
[root@puppet:~] #rpm -qa | grep smartvd [root@puppet:~] #
[root@puppet:~] #find / -name smartvd [root@puppet:~] #
[root@puppet:~] #rpm -qa | grep whitptabil [root@puppet:~] #find / -name whitptabil /etc/whitptabil [root@puppet:~] #
At least I found a file associated with the latter.
Really really curious here, guys. What do y'all think???
Thanks Tim
A quick Google for "smarvtd" returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c?
— Sent from Mailbox
On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all, I noticed that my puppet server running CentOS 6.5 was acting a little pokey. So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high! [root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 So then I had a look at top and saw a LOT of processes by the name of smartvd. 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it? Also curious what whitptabil is and how to get rid of it. I tried doing a search for both: [root@puppet:~] #rpm -qa | grep smartvd [root@puppet:~] # [root@puppet:~] #find / -name smartvd [root@puppet:~] # [root@puppet:~] #rpm -qa | grep whitptabil [root@puppet:~] #find / -name whitptabil /etc/whitptabil [root@puppet:~] # At least I found a file associated with the latter. Really really curious here, guys. What do y'all think??? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Also please note the spelling of the first process. Appears your last grep was for "smartvd" when it is actually "smarvtd"
— Sent from Mailbox
On Fri, Oct 3, 2014 at 9:53 PM, null jwyeth.arch@gmail.com wrote:
A quick Google for "smarvtd" returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c? — Sent from Mailbox On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all, I noticed that my puppet server running CentOS 6.5 was acting a little pokey. So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high! [root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 So then I had a look at top and saw a LOT of processes by the name of smartvd. 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it? Also curious what whitptabil is and how to get rid of it. I tried doing a search for both: [root@puppet:~] #rpm -qa | grep smartvd [root@puppet:~] # [root@puppet:~] #find / -name smartvd [root@puppet:~] # [root@puppet:~] #rpm -qa | grep whitptabil [root@puppet:~] #find / -name whitptabil /etc/whitptabil [root@puppet:~] # At least I found a file associated with the latter. Really really curious here, guys. What do y'all think??? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
yeah it does..
[root@puppet:~] #ps faux | grep smarvtd root 18194 0.0 0.0 103244 836 pts/2 S+ 11:05 0:00 | _ grep smarvtd root 28855 0.0 0.1 433824 1688 ? Ssl Oct03 0:15 /tmp/smarvtd root 5923 0.0 0.1 433824 1684 ? Ssl Oct03 0:12 /tmp/smarvtd root 13621 0.0 0.1 433824 1680 ? Ssl 00:00 0:11 /tmp/smarvtd root 6097 0.0 0.1 433824 1680 ? Ssl 01:00 0:09 /tmp/smarvtd root 1462 0.0 0.1 433824 1684 ? Ssl 02:00 0:08 /tmp/smarvtd root 23182 0.0 0.1 433824 1684 ? Ssl 03:00 0:08 /tmp/smarvtd root 18879 0.0 0.1 433824 1688 ? Ssl 04:00 0:06 /tmp/smarvtd root 11139 0.0 0.1 433824 1688 ? Ssl 05:00 0:05 /tmp/smarvtd root 11167 0.0 0.1 433824 1688 ? Ssl 06:00 0:04 /tmp/smarvtd root 16443 0.0 0.1 433824 1680 ? Ssl 07:00 0:03 /tmp/smarvtd root 15361 0.0 0.1 433824 1680 ? Ssl 08:00 0:02 /tmp/smarvtd root 13379 0.0 0.1 433824 1680 ? Ssl 09:00 0:01 /tmp/smarvtd root 11599 0.0 0.1 433824 1684 ? Ssl 10:00 0:00 /tmp/smarvtd root 12731 0.0 0.1 433824 1684 ? Ssl 11:00 0:00 /tmp/smarvtd
Thanks for the tip, I'll have to remember that!
I think I'll image this machine for later study. Then wipe it and start again! Thanks
On Fri, Oct 3, 2014 at 9:53 PM, jwyeth.arch@gmail.com wrote:
A quick Google for "smarvtd" returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c?
— Sent from Mailbox
On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hey all, I noticed that my puppet server running CentOS 6.5 was acting a little pokey. So I logged in and did what well just about anyone would've done. And
ran
the uptime command to have a look at the load. And it was astonishingly high! [root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 So then I had a look at top and saw a LOT of processes by the name of smartvd. 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it? Also curious what whitptabil is and how to get rid of it. I tried doing a search for both: [root@puppet:~] #rpm -qa | grep smartvd [root@puppet:~] # [root@puppet:~] #find / -name smartvd [root@puppet:~] # [root@puppet:~] #rpm -qa | grep whitptabil [root@puppet:~] #find / -name whitptabil /etc/whitptabil [root@puppet:~] # At least I found a file associated with the latter. Really really curious here, guys. What do y'all think??? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am 04.10.2014 um 03:34 schrieb Tim Dunphy:
Hey all,
I noticed that my puppet server running CentOS 6.5 was acting a little pokey.
So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high!
[root@puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52
So then I had a look at top and saw a LOT of processes by the name of smartvd.
7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd
So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it?
Also curious what whitptabil is and how to get rid of it.
[ ... ]
Really really curious here, guys. What do y'all think???
Thanks Tim
Take the system off. Save the content for later forensics and then reinstall the system from scratch. What's running is malware
http://v.virscan.org/Backdoor.Linux.Mayday.f.html
It is typical for such backdoors to camouflage as programs with a known name: whitptabil versus whiptail and smarvtd versus smartd.
Alexander
Since this was your puppet server, you might also want to check to see if the intrusion has spread to your other machines, it's possible the attacker didn't notice or that the attack was fully automated, but you should read through the puppet configs and see if there are any commands being distributed to the other machines that you didn't put there. You don't want to play whack-a-mole chasing this out of your system, you want to get it all in one shot.
— Mark Tinberg mark.tinberg@wisc.edu
Since this was your puppet server, you might also want to check to see if the intrusion has spread to your other machines, it's possible the attacker didn't notice or that the attack was fully automated, but you should read through the puppet configs and see if there are any commands being distributed to the other machines that you didn't put there. You don't want to play whack-a-mole chasing this out of your system, you want to get it all in one shot.
Thanks, I'm doing this now!
Tim
On Sat, Oct 4, 2014 at 11:14 AM, Mark Tinberg mark.tinberg@wisc.edu wrote:
Since this was your puppet server, you might also want to check to see if the intrusion has spread to your other machines, it's possible the attacker didn't notice or that the attack was fully automated, but you should read through the puppet configs and see if there are any commands being distributed to the other machines that you didn't put there. You don't want to play whack-a-mole chasing this out of your system, you want to get it all in one shot.
— Mark Tinberg mark.tinberg@wisc.edu _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The thing is... you need to find how it got in and patch, otherwise it will be back on your brand new server...
JD