The thing is... you need to find how it got in and patch, otherwise it will be
back on your brand new server...
JD
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Am 04.10.2014 um 03:34 schrieb Tim Dunphy:
Hey all,
I noticed that my puppet server running CentOS 6.5 was acting a little
pokey.
So I logged in and did what well just about anyone would've done. And ran
the uptime command to have a look at the load. And it was astonishingly
high!
yeah it does..
[root@puppet:~] #ps faux | grep smarvtd
root 18194 0.0 0.0 103244 836 pts/2S+ 11:05 0:00 |
\_ grep smarvtd
root 28855 0.0 0.1 433824 1688 ?Ssl Oct03 0:15
/tmp/smarvtd
root 5923 0.0 0.1 433824 1684 ?Ssl Oct03 0:12
/tmp/smarvtd
Since this was your puppet server, you might also want to check to see if the
intrusion has spread to your other machines, it's possible the attacker didn't
notice or that the attack was fully automated, but you should read through the
puppet configs and see if there are any commands being
Since this was your puppet server, you might also want to check to see if
the intrusion has spread to your other machines, it's possible the attacker
didn't notice or that the attack was fully automated, but you should read
through the puppet configs and see if there are any commands being
Hey all,
I noticed that my puppet server running CentOS 6.5 was acting a little
pokey.
So I logged in and did what well just about anyone would've done. And ran
the uptime command to have a look at the load. And it was astonishingly
high!
[root@puppet:~] #uptime
21:28:01 up 1:26, 3 users,
A quick Google for smarvtd returns results for both the smarvtd and
whitptabil and they appear to be potential malware. Does a PS faux | grep
smarvtd return a full path to the file that is running? How about top -c?
—
Sent from Mailbox
On Fri, Oct 3, 2014 at 9:35 PM, Tim Dunphy
7 matches
Mail list logo
