www-data user process named ./stealth consumes 90+% cpu

It happens once a day that a process named ./stealth (running as my apache user www-data), which is unknown to me and I cannot find on my Lucid 10.04 system via locate, consumes over 90% cpu. What could this be? Network bandwidth peaks to 15mbit/sec, is this a dos attack?

Any help on how to investigate this would be much appreciated!

Best,

Tim

2 Replies

On IRC:

EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz.

@heckman>: It compromises ALL THE THINGS

@AviMarcus:

On IRC:

EugeneKay>: Ubuntu Forums suggest it's a standard issue combination keylogger, irc bot, DDoS client, all that jazz.

@heckman>: It compromises ALL THE THINGS

Running this command may help you track it down:

    ps auxf

However, you should consider this Linode compromised and that it's no longer safe to store any data or use it for anything. Your best option is to back up your data and redeploy.

One way to do this would be to shrink your disk images and deploy a new distro alongside. You can then copy the files over and delete the old disk image.

I would also recommend trying to determine how the compromise happened in the process of moving data to prevent it from happening again.

-Tim

Edit: Make sure you only copy files over that you know where not the root of the problem. Here's more conversation from IRC:

> Dec29 18:31:18 < EugeneKay> The forum post I read traced it down to something called Zen

Dec29 18:31:29 < rnowak> the shopping cart?

Dec29 18:31:29 < EugeneKay> Which is any of a dozen PHP packages

Dec29 18:31:40 < EugeneKay> Didn't say.

Dec29 18:31:46 < EugeneKay> But probably

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct