/tmp/swap is causing my CPU busy

Valeri Galtsev galtsev at kicp.uchicago.edu
Tue Jan 10 04:35:33 UTC 2017 

On Mon, January 9, 2017 10:09 pm, Warren Block wrote:
> On Tue, 10 Jan 2017, Bill Yuan wrote:
>
>> On 10 January 2017 at 01:04, Warren Block <wblock at wonkity.com> wrote:
>>       On Tue, 10 Jan 2017, Bill Yuan wrote:
>>
>>             Hi,
>>             Need support here. I just noticed my machine is busy and a
>> process is the
>>             root cause, I am not familiar with the memory/SWAP, Can
>> someone please help
>>             to take a look? any info is required? please let me know.
>>
>>             #top
>>             52 processes:  1 running, 50 sleeping, 1 zombie
>>             CPU:  3.5% user,  0.0% nice,  0.6% system,  0.0%
>> interrupt, 95.9% idle
>>             Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free
>>             Swap: 2100M Total, 2100M Free
>>
>>              PID USERNAME       THR PRI NICE   SIZE    RES
>> STATE   C   TIME    WCPU
>>             COMMAND
>>             25592 root            10  25    0   778M  9272K
>> uwait   3   0:38  19.02%
>>             .swap
>>             25599 root             1  20    0  7416K  2596K
>> CPU0    0   0:00   0.11% top
>>
>>             #ps -axd | grep swap
>>             25481  0  S+       0:00.00 | |   `-- grep swap
>>             22927  -  Ss     172:10.74 |-- /tmp/.swap
>>
>>             #uname -a
>>             FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0
>> r306420: Thu
>>             Sep 29 03:40:55 UTC 2016
>>             root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
>>             i386
>>
>>
>>       That does not look good to me.  A hidden file named ".swap" that
>> is *running*, and as root?  I would immediately disconnect that
>> machine from the net and then check to see if that's a compromise,
>> because it sure looks fishy.
>
>> I​t is inside my dev environment, but I want to know what it is.​
>
> It is not a standard file, let's start with that.  Again, I would
> isolate it until I was very sure it was not a problem.

This sounds to me like compromised system as well. There are two
indications of attempt to disguise it: name of the file and the fact that
it is "invisible" file ( .xxxxx )

>
> Do you have some sort of blogging software or exploitable PHP web thing
> installed?

This is another question: how the compromise happened. It quite like is
the combination of exploitable service and local elevation of privileges,
as daemons listening on external ports are usually run as non-privileged
users, except for few like sshd (and sendmail in the past - don't know how
it is now, use postfix for almost two decades).

I really would at this point switch effort to forensics on the system, as
Warren suggests, go shortly over few things that can disappear upon taking
system off line (if "hacker" is careful one), then disconnect the box from
the network, and investigate the rest off line. It is big work, good
forensics can take weeks. There is no room to describe it on the list.

Good luck!

Valeri

>
> Can this questionable file be killed without coming back?
>    pkill .swap
>    pgrep .swap
>
> What kind of file is it?
>    file /tmp/.swap
>
> When was it put there?
>    ls -lh /tmp/.swap
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list