<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">If you are not using it, go ahead. But
it does make updating slightly more challenging. I'd go look for a
.forward file and/or /etc/aliases that has convkeps in it.<br>
<br>
Try (as root):<br>
<br>
grep -r convkeps /etc<br>
<br>
and <br>
<br>
grep convkeps /home/*/.forward<br>
<br>
If you send me some details off list and open your firewall to an
IP address I'll give you, I can go and look. These things don't
happen by magic. <br>
<br>
Dirk<br>
<br>
On 22/02/17 13:29, Michael Walker via Dxspider-support wrote:<br>
</div>
<blockquote
cite="mid:CANSPDxY+_Sc_rn7eqo8DrJY-bZ3U6iYUFWYQC=BEAJg3irQGKQ@mail.gmail.com"
type="cite">
<div dir="ltr">I pulled out the image so I can reply.
<div><br>
</div>
<div>There are no cron jobs either root or sysop. This is a new
build.</div>
<div><br>
</div>
<div>However, something started to log in as root and there was
over 500 of them. I will need to spend a lot more time going
through the logs to see if I can see anything unusual. Since
I don't do this for a living, that is going to take a while.</div>
<div><br>
</div>
<div>I have changed the root password, but I am not sure that
will help if they way they got in was via some other method. </div>
<div><br>
</div>
<div>The cluster runs under sysop. </div>
<div><br>
</div>
<div>Can I rename <a moz-do-not-send="true"
href="http://convkeps.pl">convkeps.pl</a> so it doesn't
execute?</div>
<div><br>
</div>
<div>Mike <br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 22, 2017 at 7:50 AM,
Michael Walker <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mike@portcredit.net" target="_blank">mike@portcredit.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Dirk
<div><br>
</div>
<div>Not that I can see. In fact, I don't have any
crons listed under root or sysop.</div>
<div><br>
</div>
<div>Mike va3mw</div>
<div><br>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 22, 2017 at
7:27 AM, Dirk Koopman via Dxspider-support <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:dxspider-support@dxcluster.org"
target="_blank">dxspider-support@dxcluster.<wbr>org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div
class="m_7355281552786399834m_-261766008267968091moz-cite-prefix">Do
you have a (dxspider) cron job that is
trying to run <a moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>?
Normally I would expect this to be a
system job that is triggered by an
incoming email (containing keps) being
redirected to <a moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a> from an
aliases or .forward file. It may also be
the case that, since this program hasn't
been touched since 2007, that formats have
changed and it is looping, then eventually
dying or killed off by the linux space
reaper when it needs some extra RAM and it
can't get it any other way.<br>
<br>
Dirk
<div>
<div class="m_7355281552786399834h5"><br>
<br>
On 22/02/17 02:38, Michael Walker via
Dxspider-support wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_7355281552786399834h5">
<div dir="ltr">Has anyone seen this?
<div><br>
</div>
<div>Something is spawning all
these. Intrusion?</div>
<div><br>
</div>
<div>Mike va3mw</div>
<div><br>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><font face="monospace,
monospace">sysop 8769
8728 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8770
7041 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8771
3426 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8772
8732 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8773
6898 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8774
8730 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8775
7040 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8776
7038 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8777
8731 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8778
8729 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8779
5238 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8780
7037 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8781
8737 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8782
7043 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8783
8733 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8784
8726 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8785
5239 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8786
7039 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">sysop 8787
6897 0 00:02 ?
00:00:00 [<a
moz-do-not-send="true"
href="http://convkeps.pl"
target="_blank">convkeps.pl</a>]
<defunct></font></div>
<div><font face="monospace,
monospace">root 9091
2 0 03:57 ? 00:00:00
[kworker/3:1]</font></div>
<div><font face="monospace,
monospace">root 9183
2 0 05:01 ? 00:00:01
[kworker/1:3]</font></div>
<div><font face="monospace,
monospace">root 9324
2 0 07:01 ? 00:00:03
[kworker/0:0]</font></div>
<div><font face="monospace,
monospace">root 9418
2 0 08:19 ? 00:00:32
[kworker/2:1]</font></div>
<div><font face="monospace,
monospace">root 9892
2 0 15:01 ? 00:00:00
[kworker/1:1]</font></div>
<div><font face="monospace,
monospace">root 10235
2 0 20:01 ? 00:00:00
[kworker/2:0]</font></div>
<div><font face="monospace,
monospace">postfix 10261
1846 0 20:27 ?
00:00:00 pickup -l -t unix -u</font></div>
<div><font face="monospace,
monospace">root 10300
2 0 21:01 ? 00:00:00
[kworker/0:2]</font></div>
<div><font face="monospace,
monospace">root 10319
2 0 21:22 ? 00:00:00
[kworker/1:2H]</font></div>
<div><font face="monospace,
monospace">root 10322
2 0 21:27 ? 00:00:00
[kworker/u8:1]</font></div>
<div><font face="monospace,
monospace">root 10324
2 0 21:27 ? 00:00:00
[kworker/1:0H]</font></div>
<div><font face="monospace,
monospace">root 10327
2 0 21:32 ? 00:00:00
[kworker/u8:2]</font></div>
<div><font face="monospace,
monospace">root 10330
2 0 21:32 ? 00:00:00
[kworker/1:1H]</font></div>
<div><font face="monospace,
monospace">root 10333
1080 0 21:33 ?
00:00:01 sshd: root@pts/0</font></div>
<div><font face="monospace,
monospace">root 10337
10333 0 21:34 pts/0
00:00:00 -bash</font></div>
<div><font face="monospace,
monospace">root 10361
2 0 21:36 ? 00:00:00
[ath9k-hwrng]</font></div>
<div><font face="monospace,
monospace">root 10362
10337 0 21:37 pts/0
00:00:00 ps -ef</font></div>
<div><font face="monospace,
monospace">root 10363
10337 0 21:37 pts/0
00:00:00 less</font></div>
</div>
<div><br>
</div>
</div>
<br>
<fieldset
class="m_7355281552786399834m_-261766008267968091mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
Dxspider-support mailing list
<a moz-do-not-send="true" class="m_7355281552786399834m_-261766008267968091moz-txt-link-abbreviated" href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a moz-do-not-send="true" class="m_7355281552786399834m_-261766008267968091moz-txt-link-freetext" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a>
</pre>
</blockquote>
</div>
______________________________<wbr>_________________
Dxspider-support mailing list
<a moz-do-not-send="true" href="mailto:Dxspider-support@dxcluster.org" target="_blank">Dxspider-support@dxcluster.org</a>
<a moz-do-not-send="true" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support" rel="noreferrer" target="_blank">http://mailman.tobit.co.uk/mai<wbr>lman/listinfo/dxspider-support</a>
</blockquote></div>
</div>
</div></div></blockquote></div>
</div></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
Dxspider-support mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dxspider-support@dxcluster.org">Dxspider-support@dxcluster.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support">http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support</a>
</pre>
</blockquote>
</body></html>