From owner-freebsd-questions@freebsd.org Tue Jan 10 04:09:53 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06FE9CA8E69 for ; Tue, 10 Jan 2017 04:09:53 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C0987146A for ; Tue, 10 Jan 2017 04:09:52 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.15.2/8.15.2) with ESMTPS id v0A49p09007122 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 9 Jan 2017 21:09:51 -0700 (MST) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.15.2/8.15.2/Submit) with ESMTP id v0A49pZk007119; Mon, 9 Jan 2017 21:09:51 -0700 (MST) (envelope-from wblock@wonkity.com) Date: Mon, 9 Jan 2017 21:09:51 -0700 (MST) From: Warren Block To: Bill Yuan cc: FreeBSD Questions Subject: Re: /tmp/swap is causing my CPU busy In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.1 (wonkity.com [127.0.0.1]); Mon, 09 Jan 2017 21:09:51 -0700 (MST) Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 04:09:53 -0000 On Tue, 10 Jan 2017, Bill Yuan wrote: > On 10 January 2017 at 01:04, Warren Block wrote: > On Tue, 10 Jan 2017, Bill Yuan wrote: > > Hi, > Need support here. I just noticed my machine is busy and a process is the > root cause, I am not familiar with the memory/SWAP, Can someone please help > to take a look? any info is required? please let me know. > > #top > 52 processes:  1 running, 50 sleeping, 1 zombie > CPU:  3.5% user,  0.0% nice,  0.6% system,  0.0% interrupt, 95.9% idle > Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free > Swap: 2100M Total, 2100M Free > >  PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME    WCPU > COMMAND > 25592 root            10  25    0   778M  9272K uwait   3   0:38  19.02% > .swap > 25599 root             1  20    0  7416K  2596K CPU0    0   0:00   0.11% top > > #ps -axd | grep swap > 25481  0  S+       0:00.00 | |   `-- grep swap > 22927  -  Ss     172:10.74 |-- /tmp/.swap > > #uname -a > FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu > Sep 29 03:40:55 UTC 2016 > root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC > i386 > > > That does not look good to me.  A hidden file named ".swap" that is *running*, and as root?  I would immediately disconnect that machine from the net and then check to see if that's a compromise, because it sure looks fishy. > I​t is inside my dev environment, but I want to know what it is.​ It is not a standard file, let's start with that. Again, I would isolate it until I was very sure it was not a problem. Do you have some sort of blogging software or exploitable PHP web thing installed? Can this questionable file be killed without coming back? pkill .swap pgrep .swap What kind of file is it? file /tmp/.swap When was it put there? ls -lh /tmp/.swap From owner-freebsd-questions@freebsd.org Tue Jan 10 04:35:33 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D6D5CA8FA0 for ; Tue, 10 Jan 2017 04:35:33 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id 2CB4D17D2 for ; Tue, 10 Jan 2017 04:35:32 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 328C0CB8CB5; Mon, 9 Jan 2017 22:35:26 -0600 (CST) Received: from 69.209.236.147 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 9 Jan 2017 22:35:26 -0600 (CST) Message-ID: <50217.69.209.236.147.1484022926.squirrel@cosmo.uchicago.edu> In-Reply-To: References: Date: Mon, 9 Jan 2017 22:35:26 -0600 (CST) Subject: Re: /tmp/swap is causing my CPU busy From: "Valeri Galtsev" To: "Warren Block" Cc: "Bill Yuan" , "FreeBSD Questions" Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jan 2017 04:35:33 -0000 On Mon, January 9, 2017 10:09 pm, Warren Block wrote: > On Tue, 10 Jan 2017, Bill Yuan wrote: > >> On 10 January 2017 at 01:04, Warren Block wrote: >> On Tue, 10 Jan 2017, Bill Yuan wrote: >> >> Hi, >> Need support here. I just noticed my machine is busy and a >> process is the >> root cause, I am not familiar with the memory/SWAP, Can >> someone please help >> to take a look? any info is required? please let me know. >> >> #top >> 52 processes:  1 running, 50 sleeping, 1 zombie >> CPU:  3.5% user,  0.0% nice,  0.6% system,  0.0% >> interrupt, 95.9% idle >> Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free >> Swap: 2100M Total, 2100M Free >> >>  PID USERNAME       THR PRI NICE   SIZE    RES >> STATE   C   TIME    WCPU >> COMMAND >> 25592 root            10  25    0   778M  9272K >> uwait   3   0:38  19.02% >> .swap >> 25599 root             1  20    0  7416K  2596K >> CPU0    0   0:00   0.11% top >> >> #ps -axd | grep swap >> 25481  0  S+       0:00.00 | |   `-- grep swap >> 22927  -  Ss     172:10.74 |-- /tmp/.swap >> >> #uname -a >> FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0 >> r306420: Thu >> Sep 29 03:40:55 UTC 2016 >> root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC >> i386 >> >> >> That does not look good to me.  A hidden file named ".swap" that >> is *running*, and as root?  I would immediately disconnect that >> machine from the net and then check to see if that's a compromise, >> because it sure looks fishy. > >> I​t is inside my dev environment, but I want to know what it is.​ > > It is not a standard file, let's start with that. Again, I would > isolate it until I was very sure it was not a problem. This sounds to me like compromised system as well. There are two indications of attempt to disguise it: name of the file and the fact that it is "invisible" file ( .xxxxx ) > > Do you have some sort of blogging software or exploitable PHP web thing > installed? This is another question: how the compromise happened. It quite like is the combination of exploitable service and local elevation of privileges, as daemons listening on external ports are usually run as non-privileged users, except for few like sshd (and sendmail in the past - don't know how it is now, use postfix for almost two decades). I really would at this point switch effort to forensics on the system, as Warren suggests, go shortly over few things that can disappear upon taking system off line (if "hacker" is careful one), then disconnect the box from the network, and investigate the rest off line. It is big work, good forensics can take weeks. There is no room to describe it on the list. Good luck! Valeri > > Can this questionable file be killed without coming back? > pkill .swap > pgrep .swap > > What kind of file is it? > file /tmp/.swap > > When was it put there? > ls -lh /tmp/.swap > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++