[Dxspider-support] (no subject)
Dirk Koopman
djk at tobit.co.uk
Wed Feb 22 15:55:47 GMT 2017
If you are not using it, go ahead. But it does make updating slightly
more challenging. I'd go look for a .forward file and/or /etc/aliases
that has convkeps in it.
Try (as root):
grep -r convkeps /etc
and
grep convkeps /home/*/.forward
If you send me some details off list and open your firewall to an IP
address I'll give you, I can go and look. These things don't happen by
magic.
Dirk
On 22/02/17 13:29, Michael Walker via Dxspider-support wrote:
> I pulled out the image so I can reply.
>
> There are no cron jobs either root or sysop. This is a new build.
>
> However, something started to log in as root and there was over 500 of
> them. I will need to spend a lot more time going through the logs to
> see if I can see anything unusual. Since I don't do this for a
> living, that is going to take a while.
>
> I have changed the root password, but I am not sure that will help if
> they way they got in was via some other method.
>
> The cluster runs under sysop.
>
> Can I rename convkeps.pl <http://convkeps.pl> so it doesn't execute?
>
> Mike
>
> On Wed, Feb 22, 2017 at 7:50 AM, Michael Walker <mike at portcredit.net
> <mailto:mike at portcredit.net>> wrote:
>
> Thanks Dirk
>
> Not that I can see. In fact, I don't have any crons listed under
> root or sysop.
>
> Mike va3mw
>
>
> On Wed, Feb 22, 2017 at 7:27 AM, Dirk Koopman via Dxspider-support
> <dxspider-support at dxcluster.org
> <mailto:dxspider-support at dxcluster.org>> wrote:
>
> Do you have a (dxspider) cron job that is trying to run
> convkeps.pl <http://convkeps.pl>? Normally I would expect this
> to be a system job that is triggered by an incoming email
> (containing keps) being redirected to convkeps.pl
> <http://convkeps.pl> from an aliases or .forward file. It may
> also be the case that, since this program hasn't been touched
> since 2007, that formats have changed and it is looping, then
> eventually dying or killed off by the linux space reaper when
> it needs some extra RAM and it can't get it any other way.
>
> Dirk
>
>
> On 22/02/17 02:38, Michael Walker via Dxspider-support wrote:
>> Has anyone seen this?
>>
>> Something is spawning all these. Intrusion?
>>
>> Mike va3mw
>>
>>
>>
>>
>>
>>
>> sysop 8769 8728 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8770 7041 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8771 3426 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8772 8732 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8773 6898 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8774 8730 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8775 7040 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8776 7038 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8777 8731 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8778 8729 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8779 5238 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8780 7037 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8781 8737 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8782 7043 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8783 8733 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8784 8726 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8785 5239 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8786 7039 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> sysop 8787 6897 0 00:02 ? 00:00:00 [convkeps.pl
>> <http://convkeps.pl>] <defunct>
>> root 9091 2 0 03:57 ? 00:00:00 [kworker/3:1]
>> root 9183 2 0 05:01 ? 00:00:01 [kworker/1:3]
>> root 9324 2 0 07:01 ? 00:00:03 [kworker/0:0]
>> root 9418 2 0 08:19 ? 00:00:32 [kworker/2:1]
>> root 9892 2 0 15:01 ? 00:00:00 [kworker/1:1]
>> root 10235 2 0 20:01 ? 00:00:00 [kworker/2:0]
>> postfix 10261 1846 0 20:27 ? 00:00:00 pickup -l -t unix -u
>> root 10300 2 0 21:01 ? 00:00:00 [kworker/0:2]
>> root 10319 2 0 21:22 ? 00:00:00 [kworker/1:2H]
>> root 10322 2 0 21:27 ? 00:00:00 [kworker/u8:1]
>> root 10324 2 0 21:27 ? 00:00:00 [kworker/1:0H]
>> root 10327 2 0 21:32 ? 00:00:00 [kworker/u8:2]
>> root 10330 2 0 21:32 ? 00:00:00 [kworker/1:1H]
>> root 10333 1080 0 21:33 ? 00:00:01 sshd: root at pts/0
>> root 10337 10333 0 21:34 pts/0 00:00:00 -bash
>> root 10361 2 0 21:36 ? 00:00:00 [ath9k-hwrng]
>> root 10362 10337 0 21:37 pts/0 00:00:00 ps -ef
>> root 10363 10337 0 21:37 pts/0 00:00:00 less
>>
>>
>>
>> _______________________________________________
>> Dxspider-support mailing list
>> Dxspider-support at dxcluster.org
>> <mailto:Dxspider-support at dxcluster.org>
>> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
>> <http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support>
> _______________________________________________
> Dxspider-support mailing list Dxspider-support at dxcluster.org
> <mailto:Dxspider-support at dxcluster.org>
> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
> <http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support>
>
> _______________________________________________
> Dxspider-support mailing list
> Dxspider-support at dxcluster.org
> http://mailman.tobit.co.uk/mailman/listinfo/dxspider-support
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20170222/d952ca58/attachment-0001.html>
More information about the Dxspider-support
mailing list