[CentOS] massive load caused by smartvd
Tim Dunphy
bluethundr at gmail.com
Sat Oct 4 15:12:58 UTC 2014
yeah it does..
[root at puppet:~] #ps faux | grep smarvtd
root 18194 0.0 0.0 103244 836 pts/2 S+ 11:05 0:00 |
\_ grep smarvtd
root 28855 0.0 0.1 433824 1688 ? Ssl Oct03 0:15
/tmp/smarvtd
root 5923 0.0 0.1 433824 1684 ? Ssl Oct03 0:12
/tmp/smarvtd
root 13621 0.0 0.1 433824 1680 ? Ssl 00:00 0:11
/tmp/smarvtd
root 6097 0.0 0.1 433824 1680 ? Ssl 01:00 0:09
/tmp/smarvtd
root 1462 0.0 0.1 433824 1684 ? Ssl 02:00 0:08
/tmp/smarvtd
root 23182 0.0 0.1 433824 1684 ? Ssl 03:00 0:08
/tmp/smarvtd
root 18879 0.0 0.1 433824 1688 ? Ssl 04:00 0:06
/tmp/smarvtd
root 11139 0.0 0.1 433824 1688 ? Ssl 05:00 0:05
/tmp/smarvtd
root 11167 0.0 0.1 433824 1688 ? Ssl 06:00 0:04
/tmp/smarvtd
root 16443 0.0 0.1 433824 1680 ? Ssl 07:00 0:03
/tmp/smarvtd
root 15361 0.0 0.1 433824 1680 ? Ssl 08:00 0:02
/tmp/smarvtd
root 13379 0.0 0.1 433824 1680 ? Ssl 09:00 0:01
/tmp/smarvtd
root 11599 0.0 0.1 433824 1684 ? Ssl 10:00 0:00
/tmp/smarvtd
root 12731 0.0 0.1 433824 1684 ? Ssl 11:00 0:00
/tmp/smarvtd
Thanks for the tip, I'll have to remember that!
I think I'll image this machine for later study. Then wipe it and start
again!
Thanks
On Fri, Oct 3, 2014 at 9:53 PM, <jwyeth.arch at gmail.com> wrote:
> A quick Google for "smarvtd" returns results for both the smarvtd and
> whitptabil and they appear to be potential malware. Does a PS faux | grep
> smarvtd return a full path to the file that is running? How about top -c?
>
> —
> Sent from Mailbox
>
> On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy <bluethundr at gmail.com> wrote:
>
> > Hey all,
> > I noticed that my puppet server running CentOS 6.5 was acting a little
> > pokey.
> > So I logged in and did what well just about anyone would've done. And
> ran
> > the uptime command to have a look at the load. And it was astonishingly
> > high!
> > [root at puppet:~] #uptime
> > 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52
> > So then I had a look at top and saw a LOT of processes by the name of
> > smartvd.
> > 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd
> > 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd
> > 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd
> > 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd
> > 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd
> > 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd
> > 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd
> > 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd
> > 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd
> > 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd
> > 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd
> > 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd
> > 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd
> > 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd
> > 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd
> > 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd
> > 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd
> > 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil
> > 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd
> > 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd
> > 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd
> > 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd
> > So my question to you is what the HELL is smartvd ? Seems like a virus to
> > me. And of course how do I get rid of it?
> > Also curious what whitptabil is and how to get rid of it.
> > I tried doing a search for both:
> > [root at puppet:~] #rpm -qa | grep smartvd
> > [root at puppet:~] #
> > [root at puppet:~] #find / -name smartvd
> > [root at puppet:~] #
> > [root at puppet:~] #rpm -qa | grep whitptabil
> > [root at puppet:~] #find / -name whitptabil
> > /etc/whitptabil
> > [root at puppet:~] #
> > At least I found a file associated with the latter.
> > Really really curious here, guys. What do y'all think???
> > Thanks
> > Tim
> > --
> > GPG me!!
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
More information about the CentOS
mailing list