<div dir="ltr"><div><font face="monospace, monospace">[root@dxcluster2 log]# grep -r convkeps /etc</font></div><div><font face="monospace, monospace">[root@dxcluster2 log]# grep convkeps /home/*/.forward</font></div><div><font face="monospace, monospace">grep: /home/*/.forward: No such file or directory</font></div><div><font face="monospace, monospace">[root@dxcluster2 log]#</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">No output from either. </font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Mike</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">As an aside: </font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Here is where I start to see some concerning issues. It is the 'Starting Session x of user root'. If I do a who, there doesn't appear to be any additional root logins. This seems to be a known problem and I need to do more googling on the solution. This is not my problem running out of resources. </font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">This is going on now:</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><div>Feb 21 22:01:02 dxcluster2 systemd: Started Session 4 of user root.</div><div>Feb 21 22:01:02 dxcluster2 systemd: Starting Session 4 of user root.</div><div>Feb 21 22:40:50 dxcluster2 kernel: perf: interrupt took too long (2508 > 2500), lowering kernel.perf_event_max_sample_rate to 79000</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: disconnect from AP ec:08:6b:c0:8b:16 for new auth to 18:a6:f7:c1:4e:04</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: authenticate with 18:a6:f7:c1:4e:04</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: send auth to 18:a6:f7:c1:4e:04 (try 1/3)</div><div>Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3273] device (wls33): supplicant interface state: completed -> authenticating</div><div>Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <warn> [1487734965.3327] sup-iface[0x7fde5d4c2360,wls33]: connection disconnected (reason 1)</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: authenticated</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: associate with 18:a6:f7:c1:4e:04 (try 1/3)</div><div>Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3481] device (wls33): supplicant interface state: authenticating -> associating</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: RX AssocResp from 18:a6:f7:c1:4e:04 (capab=0x431 status=0 aid=1)</div><div>Feb 21 22:42:45 dxcluster2 kernel: wls33: associated</div><div>Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3568] device (wls33): supplicant interface state: associating -> 4-way handshake</div><div>Feb 21 22:42:45 dxcluster2 NetworkManager[667]: <info> [1487734965.3659] device (wls33): supplicant interface state: 4-way handshake -> completed</div><div>Feb 21 22:48:47 dxcluster2 systemd-logind: New session 5 of user root.</div><div>Feb 21 22:48:47 dxcluster2 systemd: Started Session 5 of user root.</div><div>Feb 21 22:48:47 dxcluster2 systemd: Starting Session 5 of user root.</div><div>Feb 21 23:01:01 dxcluster2 systemd: Started Session 6 of user root.</div><div>Feb 21 23:01:01 dxcluster2 systemd: Starting Session 6 of user root.</div><div>Feb 21 23:10:12 dxcluster2 kernel: perf: interrupt took too long (3136 > 3135), lowering kernel.perf_event_max_sample_rate to 63000</div><div>Feb 22 00:01:01 dxcluster2 systemd: Started Session 7 of user root.</div><div>Feb 22 00:01:01 dxcluster2 systemd: Starting Session 7 of user root.</div><div>Feb 22 00:01:17 dxcluster2 kernel: perf: interrupt took too long (3927 > 3920), lowering kernel.perf_event_max_sample_rate to 50000</div><div>Feb 22 00:02:29 dxcluster2 kernel: perf: interrupt took too long (4912 > 4908), lowering kernel.perf_event_max_sample_rate to 40000</div><div>Feb 22 00:05:49 dxcluster2 kernel: perf: interrupt took too long (6147 > 6140), lowering kernel.perf_event_max_sample_rate to 32000</div><div>Feb 22 01:01:01 dxcluster2 systemd: Started Session 8 of user root.</div><div>Feb 22 01:01:01 dxcluster2 systemd: Starting Session 8 of user root.</div><div>Feb 22 02:01:01 dxcluster2 systemd: Started Session 9 of user root.</div><div>Feb 22 02:01:01 dxcluster2 systemd: Starting Session 9 of user root.</div><div>Feb 22 03:01:01 dxcluster2 systemd: Started Session 10 of user root.</div><div>Feb 22 03:01:01 dxcluster2 systemd: Starting Session 10 of user root.</div><div>Feb 22 04:01:01 dxcluster2 systemd: Started Session 11 of user root.</div><div>Feb 22 04:01:01 dxcluster2 systemd: Starting Session 11 of user root.</div><div>Feb 22 05:01:01 dxcluster2 systemd: Started Session 12 of user root.</div><div>Feb 22 05:01:01 dxcluster2 systemd: Starting Session 12 of user root.</div><div>Feb 22 06:01:01 dxcluster2 systemd: Started Session 13 of user root.</div><div>Feb 22 06:01:01 dxcluster2 systemd: Starting Session 13 of user root.</div><div>Feb 22 06:42:32 dxcluster2 dhclient[724]: DHCPREQUEST on ens32 to 192.168.113.1 port 67 (xid=0x3065af1a)</div><div>Feb 22 06:42:32 dxcluster2 dhclient[724]: DHCPACK from 192.168.113.1 (xid=0x3065af1a)</div><div>Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8693] dhcp4 (ens32): address 192.168.113.151</div><div>Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8698] dhcp4 (ens32): plen 24 (255.255.255.0)</div><div>Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8699] dhcp4 (ens32): gateway 192.168.113.1</div><div>Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8699] dhcp4 (ens32): server identifier 192.168.113.1</div><div>Feb 22 06:42:32 dxcluster2 NetworkManager[667]: <info> [1487763752.8700] dhcp4 (ens32): lease time 86400</div><div><br></div></font></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 10:55 AM, Dirk Koopman via Dxspider-support <span dir="ltr"><<a href="mailto:dxspider-support@dxcluster.org" target="_blank">dxspider-support@dxcluster.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_2247224448611900781moz-cite-prefix">If you are not using it, go ahead. But
it does make updating slightly more challenging. I'd go look for a
.forward file and/or /etc/aliases that has convkeps in it.<br>
<br>
Try (as root):<br>
<br>
grep -r convkeps /etc<br>
<br>
and <br>
<br>
grep convkeps /home/*/.forward<br>
<br>
If you send me some details off list and open your firewall to an
IP address I'll give you, I can go and look. These things don't
happen by magic. <br>
<br>
Dirk<div><div class="h5"><br>
<br>
On 22/02/17 13:29, Michael Walker via Dxspider-support wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">I pulled out the image so I can reply.
<div><br>
</div>
<div>There are no cron jobs either root or sysop. This is a new
build.</div>
<div><br>
</div>
<div>However, something started to log in as root and there was
over 500 of them. I will need to spend a lot more time going
through the logs to see if I can see anything unusual. Since
I don't do this for a living, that is going to take a while.</div>
<div><br>
</div>
<div>I have changed the root password, but I am not sure that
will help if they way they got in was via some other method. </div>
<div><br>
</div>
<div>The cluster runs under sysop. </div>
<div><br>
</div>
<div>Can I rename <a href="http://convkeps.pl" target="_blank">convkeps.pl</a> so it doesn't
execute?</div>
<div><br>
</div>
<div>Mike <br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 22, 2017 at 7:50 AM,
Michael Walker <span dir="ltr"><<a href="mailto:mike@portcredit.net" target="_blank">mike@portcredit.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Dirk
<div><br>
</div>
<div>Not that I can see. In fact, I don't have any
crons listed under root or sysop.</div>
<div><br>
</div>
<div>Mike va3mw</div>
<div><br>
</div>
</div>
<div class="m_2247224448611900781HOEnZb">
<div class="m_2247224448611900781h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 22, 2017 at
7:27 AM, Dirk Koopman via Dxspider-support <span dir="ltr"><<a href="mailto:dxspider-support@dxcluster.org" target="_blank">dxspider-support@dxcluster.or<wbr>g</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_2247224448611900781m_7355281552786399834m_-261766008267968091moz-cite-prefix">Do
you have a (dxspider) cron job that is
trying to run <a href="http://convkeps.pl" target="_blank">convkeps.pl</a>?
Normally I would expect this to be a
system job that is triggered by an
incoming email (containing keps) being
redirected to <a href="http://convkeps.pl" target="_blank">convkeps.pl</a> from an
aliases or .forward file. It may also be
the case that, since this program hasn't
been touched since 2007, that formats have
changed and it is looping, then eventually
dying or killed off by the linux space
reaper when it needs some extra RAM and it
can't get it any other way.<br>
<br>
Dirk
<div>
<div class="m_2247224448611900781m_7355281552786399834h5"><br>
<br>
On 22/02/17 02:38, Michael Walker via
Dxspider-support wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_2247224448611900781m_7355281552786399834h5">
<div dir="ltr">Has anyone seen this?
<div><br>
</div>
<div>Something is spawning all
these. Intrusion?</div>
<div><br>
</div>
<div>Mike va3mw</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace,
monospace">sysop 8769
8728 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8770
7041 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8771
3426 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8772
8732 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8773
6898 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8774
8730 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8775
7040 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8776
7038 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8777
8731 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8778
8729 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8779
5238 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8780
7037 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8781
8737 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8782
7043 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8783
8733 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8784
8726 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8785
5239 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8786
7039 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8787
6897 0 00:02 ?
00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">root 9091
2 0 03:57 ? 00:00:00
[kworker/3:1]</font></div>
<div><font face="monospace,
monospace">root 9183
2 0 05:01 ? 00:00:01
[kworker/1:3]</font></div>
<div><font face="monospace,
monospace">root 9324
2 0 07:01 ? 00:00:03
[kworker/0:0]</font></div>
<div><font face="monospace,
monospace">root 9418
2 0 08:19 ? 00:00:32
[kworker/2:1]</font></div>
<div><font face="monospace,
monospace">root 9892
2 0 15:01 ? 00:00:00
[kworker/1:1]</font></div>
<div><font face="monospace,
monospace">root 10235
2 0 20:01 ? 00:00:00
[kworker/2:0]</font></div>
<div><font face="monospace,
monospace">postfix 10261
1846 0 20:27 ?
00:00:00 pickup -l -t unix -u</font></div>
<div><font face="monospace,
monospace">root 10300
2 0 21:01 ? 00:00:00
[kworker/0:2]</font></div>
<div><font face="monospace,
monospace">root 10319
2 0 21:22 ? 00:00:00
[kworker/1:2H]</font></div>
<div><font face="monospace,
monospace">root 10322
2 0 21:27 ? 00:00:00
[kworker/u8:1]</font></div>
<div><font face="monospace,
monospace">root 10324
2 0 21:27 ? 00:00:00
[kworker/1:0H]</font></div>
<div><font face="monospace,
monospace">root 10327
2 0 21:32 ? 00:00:00
[kworker/u8:2]</font></div>
<div><font face="monospace,
monospace">root 10330
2 0 21:32 ? 00:00:00
[kworker/1:1H]</font></div>
<div><font face="monospace,
monospace">root 10333
1080 0 21:33 ?
00:00:01 sshd: root@pts/0</font></div>
<div><font face="monospace,
monospace">root 10337
10333 0 21:34 pts/0
00:00:00 -bash</font></div>
<div><font face="monospace,
monospace">root 10361
2 0 21:36 ? 00:00:00
[ath9k-hwrng]</font></div>
<div><font face="monospace,
monospace">root 10362
10337 0 21:37 pts/0
00:00:00 ps -ef</font></div>
<div><font face="monospace,
monospace">root 10363
10337 0 21:37 pts/0
00:00:00 less</font></div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="m_2247224448611900781m_7355281552786399834m_-261766008267968091mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
Dxspider-support mailing list
<a class="m_2247224448611900781m_7355281552786399834m_-261766008267968091moz-txt-link-abbreviated" href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a class="m_2247224448611900781m_7355281552786399834m_-261766008267968091moz-txt-link-freetext" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a>
</pre>
</blockquote>
</div>
______________________________<wbr>_________________
Dxspider-support mailing list
<a href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" rel="noreferrer" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a>
</blockquote></div>
</div>
</div></div></blockquote></div>
</div></div></div>
<fieldset class="m_2247224448611900781mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
Dxspider-support mailing list
<a class="m_2247224448611900781moz-txt-link-abbreviated" href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a class="m_2247224448611900781moz-txt-link-freetext" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" target="_blank">http://mailman.tobit.co.uk/<wbr>mailman/listinfo/dxspider-<wbr>support</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
Dxspider-support mailing list<br>
<a href="mailto:Dxspider-support@dxcluster.org">Dxspider-support@dxcluster.org</a><br>
<a href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" rel="noreferrer" target="_blank">http://mailman.tobit.co.uk/<wbr>mailman/listinfo/dxspider-<wbr>support</a><br>
<br></blockquote></div><br></div>