Date: Mon, 9 Jan 2017 21:09:51 -0700 (MST) From: Warren Block <wblock@wonkity.com> To: Bill Yuan <bycn82@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: /tmp/swap is causing my CPU busy Message-ID: <alpine.BSF.2.20.1701092101060.3484@wonkity.com> In-Reply-To: <CAC%2BJH2wBrEz9G0YT7iagQhnDFYXMkoh0cRwySRJSYWbCnY=DGw@mail.gmail.com> References: <CAC%2BJH2wO6kpKB8DfHMW=Yi081Hi4jU=vnFzuyq54jXPhbqk0YQ@mail.gmail.com> <alpine.BSF.2.20.1701091000290.3484@wonkity.com> <CAC%2BJH2wBrEz9G0YT7iagQhnDFYXMkoh0cRwySRJSYWbCnY=DGw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Jan 2017, Bill Yuan wrote: > On 10 January 2017 at 01:04, Warren Block <wblock@wonkity.com> wrote: > On Tue, 10 Jan 2017, Bill Yuan wrote: > > Hi, > Need support here. I just noticed my machine is busy and a process is the > root cause, I am not familiar with the memory/SWAP, Can someone please help > to take a look? any info is required? please let me know. > > #top > 52 processes: 1 running, 50 sleeping, 1 zombie > CPU: 3.5% user, 0.0% nice, 0.6% system, 0.0% interrupt, 95.9% idle > Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free > Swap: 2100M Total, 2100M Free > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU > COMMAND > 25592 root 10 25 0 778M 9272K uwait 3 0:38 19.02% > .swap > 25599 root 1 20 0 7416K 2596K CPU0 0 0:00 0.11% top > > #ps -axd | grep swap > 25481 0 S+ 0:00.00 | | `-- grep swap > 22927 - Ss 172:10.74 |-- /tmp/.swap > > #uname -a > FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu > Sep 29 03:40:55 UTC 2016 > root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC > i386 > > > That does not look good to me. A hidden file named ".swap" that is *running*, and as root? I would immediately disconnect that machine from the net and then check to see if that's a compromise, because it sure looks fishy. > It is inside my dev environment, but I want to know what it is. It is not a standard file, let's start with that. Again, I would isolate it until I was very sure it was not a problem. Do you have some sort of blogging software or exploitable PHP web thing installed? Can this questionable file be killed without coming back? pkill .swap pgrep .swap What kind of file is it? file /tmp/.swap When was it put there? ls -lh /tmp/.swap From owner-freebsd-questions@freebsd.org Tue Jan 10 04:35:33 2017 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D6D5CA8FA0 for <freebsd-questions@mailman.ysv.freebsd.org>; Tue, 10 Jan 2017 04:35:33 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id 2CB4D17D2 for <freebsd-questions@freebsd.org>; Tue, 10 Jan 2017 04:35:32 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 328C0CB8CB5; Mon, 9 Jan 2017 22:35:26 -0600 (CST) Received: from 69.209.236.147 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 9 Jan 2017 22:35:26 -0600 (CST) Message-ID: <50217.69.209.236.147.1484022926.squirrel@cosmo.uchicago.edu> In-Reply-To: <alpine.BSF.2.20.1701092101060.3484@wonkity.com> References: <CAC+JH2wO6kpKB8DfHMW=Yi081Hi4jU=vnFzuyq54jXPhbqk0YQ@mail.gmail.com> <alpine.BSF.2.20.1701091000290.3484@wonkity.com> <CAC+JH2wBrEz9G0YT7iagQhnDFYXMkoh0cRwySRJSYWbCnY=DGw@mail.gmail.com> <alpine.BSF.2.20.1701092101060.3484@wonkity.com> Date: Mon, 9 Jan 2017 22:35:26 -0600 (CST) Subject: Re: /tmp/swap is causing my CPU busy From: "Valeri Galtsev" <galtsev@kicp.uchicago.edu> To: "Warren Block" <wblock@wonkity.com> Cc: "Bill Yuan" <bycn82@gmail.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>; List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Tue, 10 Jan 2017 04:35:33 -0000 On Mon, January 9, 2017 10:09 pm, Warren Block wrote: > On Tue, 10 Jan 2017, Bill Yuan wrote: > >> On 10 January 2017 at 01:04, Warren Block <wblock@wonkity.com> wrote: >> On Tue, 10 Jan 2017, Bill Yuan wrote: >> >> Hi, >> Need support here. I just noticed my machine is busy and a >> process is the >> root cause, I am not familiar with the memory/SWAP, Can >> someone please help >> to take a look? any info is required? please let me know. >> >> #top >> 52 processes: 1 running, 50 sleeping, 1 zombie >> CPU: 3.5% user, 0.0% nice, 0.6% system, 0.0% >> interrupt, 95.9% idle >> Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free >> Swap: 2100M Total, 2100M Free >> >> PID USERNAME THR PRI NICE SIZE RES >> STATE C TIME WCPU >> COMMAND >> 25592 root 10 25 0 778M 9272K >> uwait 3 0:38 19.02% >> .swap >> 25599 root 1 20 0 7416K 2596K >> CPU0 0 0:00 0.11% top >> >> #ps -axd | grep swap >> 25481 0 S+ 0:00.00 | | `-- grep swap >> 22927 - Ss 172:10.74 |-- /tmp/.swap >> >> #uname -a >> FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 >> r306420: Thu >> Sep 29 03:40:55 UTC 2016 >> root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC >> i386 >> >> >> That does not look good to me. A hidden file named ".swap" that >> is *running*, and as root? I would immediately disconnect that >> machine from the net and then check to see if that's a compromise, >> because it sure looks fishy. > >> It is inside my dev environment, but I want to know what it is. > > It is not a standard file, let's start with that. Again, I would > isolate it until I was very sure it was not a problem. This sounds to me like compromised system as well. There are two indications of attempt to disguise it: name of the file and the fact that it is "invisible" file ( .xxxxx ) > > Do you have some sort of blogging software or exploitable PHP web thing > installed? This is another question: how the compromise happened. It quite like is the combination of exploitable service and local elevation of privileges, as daemons listening on external ports are usually run as non-privileged users, except for few like sshd (and sendmail in the past - don't know how it is now, use postfix for almost two decades). I really would at this point switch effort to forensics on the system, as Warren suggests, go shortly over few things that can disappear upon taking system off line (if "hacker" is careful one), then disconnect the box from the network, and investigate the rest off line. It is big work, good forensics can take weeks. There is no room to describe it on the list. Good luck! Valeri > > Can this questionable file be killed without coming back? > pkill .swap > pgrep .swap > > What kind of file is it? > file /tmp/.swap > > When was it put there? > ls -lh /tmp/.swap > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1701092101060.3484>