Hey all, I noticed that my puppet server running CentOS 6.5 was acting a little pokey. So I logged in and did what well just about anyone would've done. And ran the uptime command to have a look at the load. And it was astonishingly high! [root at puppet:~] #uptime 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 So then I had a look at top and saw a LOT of processes by the name of smartvd. 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it? Also curious what whitptabil is and how to get rid of it. I tried doing a search for both: [root at puppet:~] #rpm -qa | grep smartvd [root at puppet:~] # [root at puppet:~] #find / -name smartvd [root at puppet:~] # [root at puppet:~] #rpm -qa | grep whitptabil [root at puppet:~] #find / -name whitptabil /etc/whitptabil [root at puppet:~] # At least I found a file associated with the latter. Really really curious here, guys. What do y'all think??? Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
A quick Google for "smarvtd" returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c? ? Sent from Mailbox On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy <bluethundr at gmail.com> wrote:> Hey all, > I noticed that my puppet server running CentOS 6.5 was acting a little > pokey. > So I logged in and did what well just about anyone would've done. And ran > the uptime command to have a look at the load. And it was astonishingly > high! > [root at puppet:~] #uptime > 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 > So then I had a look at top and saw a LOT of processes by the name of > smartvd. > 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd > 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd > 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd > 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd > 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd > 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd > 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd > 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd > 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd > 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd > 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd > 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd > 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd > 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd > 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd > 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd > 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd > 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil > 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd > 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd > 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd > 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd > So my question to you is what the HELL is smartvd ? Seems like a virus to > me. And of course how do I get rid of it? > Also curious what whitptabil is and how to get rid of it. > I tried doing a search for both: > [root at puppet:~] #rpm -qa | grep smartvd > [root at puppet:~] # > [root at puppet:~] #find / -name smartvd > [root at puppet:~] # > [root at puppet:~] #rpm -qa | grep whitptabil > [root at puppet:~] #find / -name whitptabil > /etc/whitptabil > [root at puppet:~] # > At least I found a file associated with the latter. > Really really curious here, guys. What do y'all think??? > Thanks > Tim > -- > GPG me!! > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Am 04.10.2014 um 03:34 schrieb Tim Dunphy:> Hey all, > > I noticed that my puppet server running CentOS 6.5 was acting a little > pokey. > > So I logged in and did what well just about anyone would've done. And ran > the uptime command to have a look at the load. And it was astonishingly > high! > > [root at puppet:~] #uptime > 21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52 > > > So then I had a look at top and saw a LOT of processes by the name of > smartvd. > > > 7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd > 5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd > 2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd > 2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd > 3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd > 3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd > 3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd > 3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd > 4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd > 4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd > 5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd > 6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd > 6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd > 6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd > 7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd > 7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd > 8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd > 26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil > 2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd > 4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd > 5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd > 7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd > > So my question to you is what the HELL is smartvd ? Seems like a virus to > me. And of course how do I get rid of it? > > Also curious what whitptabil is and how to get rid of it.[ ... ]> Really really curious here, guys. What do y'all think??? > > Thanks > TimTake the system off. Save the content for later forensics and then reinstall the system from scratch. What's running is malware http://v.virscan.org/Backdoor.Linux.Mayday.f.html It is typical for such backdoors to camouflage as programs with a known name: whitptabil versus whiptail and smarvtd versus smartd. Alexander
Apparently Analagous Threads
- extract values
- group data in classes
- [LLVMdev] Help!!!!Help!!!! " LLVM ERROR: Cannot select: 0x9fc9680: i32 = fp32_to_fp16 0x9fc0750 [ID=16] " problem!!!!!!!!!!!!!!!!!!
- [LLVMdev] Help!!!!Help!!!! " LLVM ERROR: Cannot select: 0x9fc9680: i32 = fp32_to_fp16 0x9fc0750 [ID=16] " problem!!!!!!!!!!!!!!!!!!
- [Bug 1808] New: "SetupCommand" invoked before connecting