<div dir="ltr">I pulled out the image so I can reply.<div><br></div><div>There are no cron jobs either root or sysop. This is a new build.</div><div><br></div><div>However, something started to log in as root and there was over 500 of them. I will need to spend a lot more time going through the logs to see if I can see anything unusual. Since I don't do this for a living, that is going to take a while.</div><div><br></div><div>I have changed the root password, but I am not sure that will help if they way they got in was via some other method. </div><div><br></div><div>The cluster runs under sysop. </div><div><br></div><div>Can I rename <a href="http://convkeps.pl">convkeps.pl</a> so it doesn't execute?</div><div><br></div><div>Mike <br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 7:50 AM, Michael Walker <span dir="ltr"><<a href="mailto:mike@portcredit.net" target="_blank">mike@portcredit.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Dirk<div><br></div><div>Not that I can see. In fact, I don't have any crons listed under root or sysop.</div><div><br></div><div>Mike va3mw</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 22, 2017 at 7:27 AM, Dirk Koopman via Dxspider-support <span dir="ltr"><<a href="mailto:dxspider-support@dxcluster.org" target="_blank">dxspider-support@dxcluster.<wbr>org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_7355281552786399834m_-261766008267968091moz-cite-prefix">Do you have a (dxspider) cron job that
is trying to run <a href="http://convkeps.pl" target="_blank">convkeps.pl</a>? Normally I would expect this to be a
system job that is triggered by an incoming email (containing
keps) being redirected to <a href="http://convkeps.pl" target="_blank">convkeps.pl</a> from an aliases or .forward
file. It may also be the case that, since this program hasn't been
touched since 2007, that formats have changed and it is looping,
then eventually dying or killed off by the linux space reaper when
it needs some extra RAM and it can't get it any other way.<br>
<br>
Dirk<div><div class="m_7355281552786399834h5"><br>
<br>
On 22/02/17 02:38, Michael Walker via Dxspider-support wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="m_7355281552786399834h5">
<div dir="ltr">Has anyone seen this?
<div><br>
</div>
<div>Something is spawning all these. Intrusion?</div>
<div><br>
</div>
<div>Mike va3mw</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace, monospace">sysop 8769 8728 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8770 7041 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8771 3426 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8772 8732 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8773 6898 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8774 8730 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8775 7040 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8776 7038 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8777 8731 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8778 8729 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8779 5238 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8780 7037 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8781 8737 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8782 7043 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8783 8733 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8784 8726 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8785 5239 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8786 7039 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">sysop 8787 6897 0
00:02 ? 00:00:00 [<a href="http://convkeps.pl" target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace, monospace">root 9091 2 0
03:57 ? 00:00:00 [kworker/3:1]</font></div>
<div><font face="monospace, monospace">root 9183 2 0
05:01 ? 00:00:01 [kworker/1:3]</font></div>
<div><font face="monospace, monospace">root 9324 2 0
07:01 ? 00:00:03 [kworker/0:0]</font></div>
<div><font face="monospace, monospace">root 9418 2 0
08:19 ? 00:00:32 [kworker/2:1]</font></div>
<div><font face="monospace, monospace">root 9892 2 0
15:01 ? 00:00:00 [kworker/1:1]</font></div>
<div><font face="monospace, monospace">root 10235 2 0
20:01 ? 00:00:00 [kworker/2:0]</font></div>
<div><font face="monospace, monospace">postfix 10261 1846 0
20:27 ? 00:00:00 pickup -l -t unix -u</font></div>
<div><font face="monospace, monospace">root 10300 2 0
21:01 ? 00:00:00 [kworker/0:2]</font></div>
<div><font face="monospace, monospace">root 10319 2 0
21:22 ? 00:00:00 [kworker/1:2H]</font></div>
<div><font face="monospace, monospace">root 10322 2 0
21:27 ? 00:00:00 [kworker/u8:1]</font></div>
<div><font face="monospace, monospace">root 10324 2 0
21:27 ? 00:00:00 [kworker/1:0H]</font></div>
<div><font face="monospace, monospace">root 10327 2 0
21:32 ? 00:00:00 [kworker/u8:2]</font></div>
<div><font face="monospace, monospace">root 10330 2 0
21:32 ? 00:00:00 [kworker/1:1H]</font></div>
<div><font face="monospace, monospace">root 10333 1080 0
21:33 ? 00:00:01 sshd: root@pts/0</font></div>
<div><font face="monospace, monospace">root 10337 10333 0
21:34 pts/0 00:00:00 -bash</font></div>
<div><font face="monospace, monospace">root 10361 2 0
21:36 ? 00:00:00 [ath9k-hwrng]</font></div>
<div><font face="monospace, monospace">root 10362 10337 0
21:37 pts/0 00:00:00 ps -ef</font></div>
<div><font face="monospace, monospace">root 10363 10337 0
21:37 pts/0 00:00:00 less</font></div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="m_7355281552786399834m_-261766008267968091mimeAttachmentHeader"></fieldset>
<br>
</div></div><pre>______________________________<wbr>_________________
Dxspider-support mailing list
<a class="m_7355281552786399834m_-261766008267968091moz-txt-link-abbreviated" href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a class="m_7355281552786399834m_-261766008267968091moz-txt-link-freetext" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a>
</pre>
</blockquote>
<br>
</div>
<br>______________________________<wbr>_________________<br>
Dxspider-support mailing list<br>
<a href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a><br>
<a href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" rel="noreferrer" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div>