• 14

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Rogue process on Ubuntu [duplicate]

When you say VPS, do you mean a virtual server, running in a virtualisation solution, like KVM?

300% CPU simply means its running on 3 cores at any one time. If its a virtual server, and been allocated 3 cores - if its doing something, all allocated CPUs should be busy, to find out what its doing, youll need to connect to the server, and run top, or ps there.

  • 0
Reply Report

You can find out what the process is running by listing the exe link in the process directory: if the PID you see in top is 666, then execute ls -l /proc/666/exe.

That will (or at least should) show a -> arrow towards a file that you can analyze.

However, the name of the file is random, and that indicates with some confidence that your server has been compromised, and that you need to take immediate corrective actions which are out of the scope of this short answer. The best is to make sure that everything is backed up, and replace the VPS with an up-to-date OS. You want to determine how the intruder got in and make sure the new server does not have the same problem (change password, make sure any services offered to the Internet are secure, etc.)

  • 0
Reply Report
    • Just rebooting will correct the symptom, but only for a time, because it will not correct the vulnerability that caused the problem. You need to audit the server -- you probably do not need a top-notch professional to do it, but you do need someone competent in Linux server security.
    • since I could not even ssh into the VPS, I took no chance and rebooted as the service provider was understandably complaining. I will try to keep track of this in coming hours to see if something similar pops up its ugly head anew.

I would issue ps -ef and grep for the process. The columns in the ps output are UID, PID, PPID, C, STIME, TTY, TIME and CMD. look at the PPID column to determine which parent process launched cER6XH. Re-issue the ps command and grep for the parent process PID. Eventually, you should find out which binaries are involved and possibly track down which application should be investigated further.

An easier method (depending on how busy your system is) may be the pstree command, but pipe the output to less so you can view the pages of info in a sane way.

edit: reading the comment from @Law29: although the process name is a non-standard *nix utility and does look fishy, it's possible that another process you are running created a temporary shell script and forked something. The process name alone isn't a tell-tale sign of a compromise.

  • 0
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags