Quote:
Originally Posted by tellme
I have a user nobody running a process named fiberlamp and uses high cpu on my old unbuntu 12.04 mailserver
top command the process is in the top 3 of processes:
23792 nobody 30 10 32744 2328 1524 S 9 0.0 0:50.85 fiberlamp
When i killed the process sudo kill 23792 the user nobody comes back with process fuzzyflakes
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1572 root 20 0 159m 46m 14m S 39 0.8 528:33.38 Xorg
1320 nobody 30 10 32076 1784 1420 S 4 0.0 0:15.72 fuzzyflakes
11598 bind 20 0 739m 88m 13m S 2 1.5 0:33.90 named
1344 ebox 20 0 10956 2080 896 S 1 0.0 0:17.66 redis-server
2894 root 20 0 1875m 215m 62m S 0 3.7 2:42.19 firefox
12036 root 20 0 516m 32m 1648 S 0 0.6 0:01.72 samba
12059 root 20 0 210m 3044 1620 S 0 0.1 0:01.03 nmbd
Where to find the file or command that triggers this malware or how to disable user nobody from running processes
thanks for all input
Alex
|
Thanks for all input, so i have solved this problem and user TB0ne has absolutely right, it was related to xscreenssaver process so i killed that and so far the system works like a rocket again !!! . These were my actions, thx all !
root@linuxserver:~# < /etc/passwd grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
root@linuxserver:/etc# sudo chsh -s /usr/sbin/nologin nobody --> command disable and deny shell (sh) user nobody
root@linuxserver:/etc# < /etc/passwd grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
root@linuxserver:/etc# ps aux | grep nobody
nobody 2884 0.0 0.0 59640 3864 ? S 03:52 0:00 xscreensaver -no-splash
root 13648 0.0 0.0 8124 940 pts/13 S+ 20:58 0:00 grep --color=auto nobody
root@linuxserver:/etc# killall -9 xscreensaver
Last login: Mon Apr 3 19:32:59 2023 from 192.XXX.XXX.XXX
root@linuxserver:~# ps aux | grep nobody
root 32624 0.0 0.0 8120 944 pts/12 S+ 02:04 0:00 grep --color=auto nobody
root@linuxserver:~#
Last login: Tue Apr 4 02:04:14 2023 from 192.XXX.XXX.XXX
root@linuxserver:~# ps aux | grep nobody
root 16280 0.0 0.0 8120 940 pts/12 S+ 20:21 0:00 grep --color=auto nobody
root@linuxserver:~#