[CentOS] massive load caused by smartvd

Tim Dunphy bluethundr at gmail.com
Sat Oct 4 15:12:58 UTC 2014 

yeah it does..

[root at puppet:~] #ps faux | grep smarvtd
root     18194  0.0  0.0 103244   836 pts/2    S+   11:05   0:00  |
\_ grep smarvtd
root     28855  0.0  0.1 433824  1688 ?        Ssl  Oct03   0:15
/tmp/smarvtd
root      5923  0.0  0.1 433824  1684 ?        Ssl  Oct03   0:12
/tmp/smarvtd
root     13621  0.0  0.1 433824  1680 ?        Ssl  00:00   0:11
/tmp/smarvtd
root      6097  0.0  0.1 433824  1680 ?        Ssl  01:00   0:09
/tmp/smarvtd
root      1462  0.0  0.1 433824  1684 ?        Ssl  02:00   0:08
/tmp/smarvtd
root     23182  0.0  0.1 433824  1684 ?        Ssl  03:00   0:08
/tmp/smarvtd
root     18879  0.0  0.1 433824  1688 ?        Ssl  04:00   0:06
/tmp/smarvtd
root     11139  0.0  0.1 433824  1688 ?        Ssl  05:00   0:05
/tmp/smarvtd
root     11167  0.0  0.1 433824  1688 ?        Ssl  06:00   0:04
/tmp/smarvtd
root     16443  0.0  0.1 433824  1680 ?        Ssl  07:00   0:03
/tmp/smarvtd
root     15361  0.0  0.1 433824  1680 ?        Ssl  08:00   0:02
/tmp/smarvtd
root     13379  0.0  0.1 433824  1680 ?        Ssl  09:00   0:01
/tmp/smarvtd
root     11599  0.0  0.1 433824  1684 ?        Ssl  10:00   0:00
/tmp/smarvtd
root     12731  0.0  0.1 433824  1684 ?        Ssl  11:00   0:00
/tmp/smarvtd

Thanks for the tip, I'll have to remember that!

I think I'll image this machine for later study. Then wipe it and start
again!
Thanks

On Fri, Oct 3, 2014 at 9:53 PM, <jwyeth.arch at gmail.com> wrote:

> A quick Google for "smarvtd" returns results for both the smarvtd and
> whitptabil and they appear to be potential malware. Does a PS faux | grep
> smarvtd return a full path to the file that is running? How about top -c?
>
>> Sent from Mailbox
>
> On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>
> > Hey all,
> >  I noticed that my puppet server running CentOS 6.5 was acting a little
> > pokey.
> >   So I logged in and did what well just about anyone would've done. And
> ran
> > the uptime command to have a look at the load. And it was astonishingly
> > high!
> > [root at puppet:~] #uptime
> >  21:28:01 up  1:26,  3 users,  load average: 107.37, 72.06, 75.52
> > So then I had a look at top and saw a LOT of processes by the name of
> > smartvd.
> >  7332 root      20   0  423m 1808    0 S  5.6  0.1   0:49.30 smarvtd
> >  5469 root      20   0  423m 1804    0 S  4.6  0.1   0:49.55 smarvtd
> >  2042 root      20   0  423m 1804    0 S  3.7  0.1   0:49.66 smarvtd
> >  2421 root      20   0  423m 1808    0 S  3.7  0.1   0:47.62 smarvtd
> >  3081 root      20   0  423m 1808    0 S  3.7  0.1   0:47.08 smarvtd
> >  3366 root      20   0  423m 1804    0 S  3.7  0.1   0:47.87 smarvtd
> >  3568 root      20   0  423m 1808    0 S  3.7  0.1   0:48.94 smarvtd
> >  3971 root      20   0  423m 1812    0 S  3.7  0.1   0:49.18 smarvtd
> >  4264 root      20   0  423m 1812    0 S  3.7  0.1   0:48.33 smarvtd
> >  4585 root      20   0  423m 1812    0 S  3.7  0.1   0:48.44 smarvtd
> >  5277 root      20   0  423m 1808    0 S  3.7  0.1   0:48.13 smarvtd
> >  6160 root      20   0  423m 1812    0 S  3.7  0.1   0:49.33 smarvtd
> >  6441 root      20   0  423m 1808    0 S  3.7  0.1   0:48.17 smarvtd
> >  6746 root      20   0  423m 1804    0 S  3.7  0.1   0:49.60 smarvtd
> >  7612 root      20   0  423m 1812    0 S  3.7  0.1   0:48.97 smarvtd
> >  7919 root      20   0  423m 1808    0 S  3.7  0.1   0:47.33 smarvtd
> >  8202 root      20   0  423m 1812    0 S  3.7  0.1   0:49.67 smarvtd
> > 26526 root      20   0  423m 1812    0 S  3.7  0.1   1:22.17 whitptabil
> >  2747 root      20   0  423m 1812    0 S  2.8  0.1   0:48.41 smarvtd
> >  4952 root      20   0  423m 1812    0 S  2.8  0.1   0:48.43 smarvtd
> >  5878 root      20   0  423m 1808    0 S  2.8  0.1   0:48.02 smarvtd
> >  7048 root      20   0  423m 1808    0 S  2.8  0.1   0:48.51 smarvtd
> > So my question to you is what the HELL is smartvd ? Seems like a virus to
> > me. And of course how do I get rid of it?
> > Also curious what whitptabil is and how to get rid of it.
> > I tried doing a search for both:
> > [root at puppet:~] #rpm -qa | grep smartvd
> > [root at puppet:~] #
> > [root at puppet:~] #find / -name smartvd
> > [root at puppet:~] #
> > [root at puppet:~] #rpm -qa | grep whitptabil
> > [root at puppet:~] #find / -name whitptabil
> > /etc/whitptabil
> > [root at puppet:~] #
> > At least I found a file associated with the latter.
> > Really really curious here, guys. What do y'all think???
> > Thanks
> > Tim
> > --
> > GPG me!!
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

More information about the CentOS mailing list