[CentOS] massive load caused by smartvd
Alexander Dalloz
ad+lists at uni-x.org
Sat Oct 4 11:52:52 UTC 2014
Am 04.10.2014 um 03:34 schrieb Tim Dunphy:
> Hey all,
>
> I noticed that my puppet server running CentOS 6.5 was acting a little
> pokey.
>
> So I logged in and did what well just about anyone would've done. And ran
> the uptime command to have a look at the load. And it was astonishingly
> high!
>
> [root at puppet:~] #uptime
> 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52
>
>
> So then I had a look at top and saw a LOT of processes by the name of
> smartvd.
>
>
> 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd
> 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd
> 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd
> 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd
> 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd
> 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd
> 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd
> 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd
> 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd
> 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd
> 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd
> 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd
> 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd
> 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd
> 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd
> 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd
> 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd
> 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil
> 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd
> 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd
> 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd
> 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd
>
> So my question to you is what the HELL is smartvd ? Seems like a virus to
> me. And of course how do I get rid of it?
>
> Also curious what whitptabil is and how to get rid of it.
[ ... ]
> Really really curious here, guys. What do y'all think???
>
> Thanks
> Tim
Take the system off. Save the content for later forensics and then
reinstall the system from scratch. What's running is malware
http://v.virscan.org/Backdoor.Linux.Mayday.f.html
It is typical for such backdoors to camouflage as programs with a known
name: whitptabil versus whiptail and smarvtd versus smartd.
Alexander
More information about the CentOS
mailing list