/tmp/swap is causing my CPU busy

Bill Yuan bycn82 at gmail.com
Tue Jan 10 04:38:31 UTC 2017 

Confirmed,
Someone hacked into my DEV environment, the password is too insecure :(
Thanks.

On 10 January 2017 at 12:09, Warren Block <wblock at wonkity.com> wrote:

> On Tue, 10 Jan 2017, Bill Yuan wrote:
>
> On 10 January 2017 at 01:04, Warren Block <wblock at wonkity.com> wrote:
>>       On Tue, 10 Jan 2017, Bill Yuan wrote:
>>
>>             Hi,
>>             Need support here. I just noticed my machine is busy and a
>> process is the
>>             root cause, I am not familiar with the memory/SWAP, Can
>> someone please help
>>             to take a look? any info is required? please let me know.
>>
>>             #top
>>             52 processes:  1 running, 50 sleeping, 1 zombie
>>             CPU:  3.5% user,  0.0% nice,  0.6% system,  0.0% interrupt,
>> 95.9% idle
>>             Mem: 53M Active, 997M Inact, 133M Wired, 44M Buf, 791M Free
>>             Swap: 2100M Total, 2100M Free
>>
>>              PID USERNAME       THR PRI NICE   SIZE    RES STATE   C
>>  TIME    WCPU
>>             COMMAND
>>             25592 root            10  25    0   778M  9272K uwait   3
>>  0:38  19.02%
>>             .swap
>>             25599 root             1  20    0  7416K  2596K CPU0    0
>>  0:00   0.11% top
>>
>>             #ps -axd | grep swap
>>             25481  0  S+       0:00.00 | |   `-- grep swap
>>             22927  -  Ss     172:10.74 |-- /tmp/.swap
>>
>>             #uname -a
>>             FreeBSD NetGate1 11.0-RELEASE-p1 FreeBSD 11.0-RELEASE-p1 #0
>> r306420: Thu
>>             Sep 29 03:40:55 UTC 2016
>>             root at releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
>>             i386
>>
>>
>>       That does not look good to me.  A hidden file named ".swap" that is
>> *running*, and as root?  I would immediately disconnect that machine from
>> the net and then check to see if that's a compromise, because it sure looks
>> fishy.
>>
>
> I​t is inside my dev environment, but I want to know what it is.​
>>
>
> It is not a standard file, let's start with that.  Again, I would isolate
> it until I was very sure it was not a problem.
>
> Do you have some sort of blogging software or exploitable PHP web thing
> installed?
>
> Can this questionable file be killed without coming back?
>   pkill .swap
>   pgrep .swap
>
> What kind of file is it?
>   file /tmp/.swap
>
> When was it put there?
>   ls -lh /tmp/.swap

More information about the freebsd-questions mailing list