[CentOS] massive load caused by smartvd

Sat Oct 4 11:52:52 UTC 2014
Alexander Dalloz <ad+lists at uni-x.org>

Am 04.10.2014 um 03:34 schrieb Tim Dunphy:
> Hey all,
>
>   I noticed that my puppet server running CentOS 6.5 was acting a little
> pokey.
>
>    So I logged in and did what well just about anyone would've done. And ran
> the uptime command to have a look at the load. And it was astonishingly
> high!
>
> [root at puppet:~] #uptime
>   21:28:01 up  1:26,  3 users,  load average: 107.37, 72.06, 75.52
>
>
> So then I had a look at top and saw a LOT of processes by the name of
> smartvd.
>
>
>   7332 root      20   0  423m 1808    0 S  5.6  0.1   0:49.30 smarvtd
>   5469 root      20   0  423m 1804    0 S  4.6  0.1   0:49.55 smarvtd
>   2042 root      20   0  423m 1804    0 S  3.7  0.1   0:49.66 smarvtd
>   2421 root      20   0  423m 1808    0 S  3.7  0.1   0:47.62 smarvtd
>   3081 root      20   0  423m 1808    0 S  3.7  0.1   0:47.08 smarvtd
>   3366 root      20   0  423m 1804    0 S  3.7  0.1   0:47.87 smarvtd
>   3568 root      20   0  423m 1808    0 S  3.7  0.1   0:48.94 smarvtd
>   3971 root      20   0  423m 1812    0 S  3.7  0.1   0:49.18 smarvtd
>   4264 root      20   0  423m 1812    0 S  3.7  0.1   0:48.33 smarvtd
>   4585 root      20   0  423m 1812    0 S  3.7  0.1   0:48.44 smarvtd
>   5277 root      20   0  423m 1808    0 S  3.7  0.1   0:48.13 smarvtd
>   6160 root      20   0  423m 1812    0 S  3.7  0.1   0:49.33 smarvtd
>   6441 root      20   0  423m 1808    0 S  3.7  0.1   0:48.17 smarvtd
>   6746 root      20   0  423m 1804    0 S  3.7  0.1   0:49.60 smarvtd
>   7612 root      20   0  423m 1812    0 S  3.7  0.1   0:48.97 smarvtd
>   7919 root      20   0  423m 1808    0 S  3.7  0.1   0:47.33 smarvtd
>   8202 root      20   0  423m 1812    0 S  3.7  0.1   0:49.67 smarvtd
> 26526 root      20   0  423m 1812    0 S  3.7  0.1   1:22.17 whitptabil
>   2747 root      20   0  423m 1812    0 S  2.8  0.1   0:48.41 smarvtd
>   4952 root      20   0  423m 1812    0 S  2.8  0.1   0:48.43 smarvtd
>   5878 root      20   0  423m 1808    0 S  2.8  0.1   0:48.02 smarvtd
>   7048 root      20   0  423m 1808    0 S  2.8  0.1   0:48.51 smarvtd
>
> So my question to you is what the HELL is smartvd ? Seems like a virus to
> me. And of course how do I get rid of it?
>
> Also curious what whitptabil is and how to get rid of it.

[ ... ]

> Really really curious here, guys. What do y'all think???
>
> Thanks
> Tim


Take the system off. Save the content for later forensics and then 
reinstall the system from scratch. What's running is malware

http://v.virscan.org/Backdoor.Linux.Mayday.f.html

It is typical for such backdoors to camouflage as programs with a known 
name: whitptabil versus whiptail and smarvtd versus smartd.

Alexander