[Dxspider-support] (no subject)

Michael Walker mike at portcredit.net
Wed Feb 22 13:29:59 GMT 2017 

I pulled out the image so I can reply.

There are no cron jobs either root or sysop.  This is a new build.

However, something started to log in as root and there was over 500 of
them.  I will need to spend a lot more time going through the logs to see
if I can see anything unusual.  Since I don't do this for a living, that is
going to take a while.

I have changed the root password, but I am not sure that will help if they
way they got in was via some other method.

The cluster runs under sysop.

Can I rename convkeps.pl so it doesn't execute?

Mike

On Wed, Feb 22, 2017 at 7:50 AM, Michael Walker <mike at portcredit.net> wrote:

> Thanks Dirk
>
> Not that I can see.  In fact, I don't have any crons listed under root or
> sysop.
>
> Mike va3mw
>
>
> On Wed, Feb 22, 2017 at 7:27 AM, Dirk Koopman via Dxspider-support <
> dxspider-support at dxcluster.org> wrote:
>
>> Do you have a (dxspider) cron job that is trying to run convkeps.pl?
>> Normally I would expect this to be a system job that is triggered by an
>> incoming email (containing keps) being redirected to convkeps.pl from an
>> aliases or .forward file. It may also be the case that, since this program
>> hasn't been touched since 2007, that formats have changed and it is
>> looping, then eventually dying or killed off by the linux space reaper when
>> it needs some extra RAM and it can't get it any other way.
>>
>> Dirk
>>
>>
>> On 22/02/17 02:38, Michael Walker via Dxspider-support wrote:
>>
>> Has anyone seen this?
>>
>> Something is spawning all these.  Intrusion?
>>
>> Mike va3mw
>>
>>
>>
>>
>>
>>
>> sysop     8769  8728  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8770  7041  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8771  3426  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8772  8732  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8773  6898  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8774  8730  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8775  7040  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8776  7038  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8777  8731  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8778  8729  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8779  5238  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8780  7037  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8781  8737  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8782  7043  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8783  8733  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8784  8726  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8785  5239  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8786  7039  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> sysop     8787  6897  0 00:02 ?        00:00:00 [convkeps.pl] <defunct>
>> root      9091     2  0 03:57 ?        00:00:00 [kworker/3:1]
>> root      9183     2  0 05:01 ?        00:00:01 [kworker/1:3]
>> root      9324     2  0 07:01 ?        00:00:03 [kworker/0:0]
>> root      9418     2  0 08:19 ?        00:00:32 [kworker/2:1]
>> root      9892     2  0 15:01 ?        00:00:00 [kworker/1:1]
>> root     10235     2  0 20:01 ?        00:00:00 [kworker/2:0]
>> postfix  10261  1846  0 20:27 ?        00:00:00 pickup -l -t unix -u
>> root     10300     2  0 21:01 ?        00:00:00 [kworker/0:2]
>> root     10319     2  0 21:22 ?        00:00:00 [kworker/1:2H]
>> root     10322     2  0 21:27 ?        00:00:00 [kworker/u8:1]
>> root     10324     2  0 21:27 ?        00:00:00 [kworker/1:0H]
>> root     10327     2  0 21:32 ?        00:00:00 [kworker/u8:2]
>> root     10330     2  0 21:32 ?        00:00:00 [kworker/1:1H]
>> root     10333  1080  0 21:33 ?        00:00:01 sshd: root at pts/0
>> root     10337 10333  0 21:34 pts/0    00:00:00 -bash
>> root     10361     2  0 21:36 ?        00:00:00 [ath9k-hwrng]
>> root     10362 10337  0 21:37 pts/0    00:00:00 ps -ef
>> root     10363 10337  0 21:37 pts/0    00:00:00 less
>>
>>
>>
>> _______________________________________________
>> Dxspider-support mailing listDxspider-support at dxcluster.orghttp://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>
>>
>>
>> _______________________________________________
>> Dxspider-support mailing list
>> Dxspider-support at dxcluster.org
>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20170222/79e17c98/attachment.html>

More information about the Dxspider-support mailing list