Apache process con.shs using 100% load on CentOS. What is it?

As a bit of background, it seems that our server got infected with something and is being used to open a ton of TCP connections over a large range if IPs. I’m halfway through trying to track down how our server got infected now; my tale of woe has been outlined at 398639 for anyone who wants some additional information.

The current issue is I’ve found an Apache command “con.shs” that is routinely taking up 100% of our CPU (it’s definitely possible it’s related to our server compromise).

My question is if anyone knew what “con.shs” is and why it’s running at 100%? No Google search has returned anything that might help.

We’re running Centos 5.7 Final, and Apache 2.2.3 (with PHP and MySQL).

con.shs could just be a random name the malware picks. Have you tried inspecting the process?

Use pgrep con.shs to find the list of PIDs and inspect the /proc/<pid>/ directory – look at details such as exe (what the executable is – unfortunately, they delete it sometimes) and perhaps cwd (what the working directory of the script is – in my experience, they don’t bother running it from somewhere like /tmp). Other files in there will be useful too, such as cmdline.

This should help you track it down, see what it’s doing, and prevent it from coming back.

Check more discussion of this question.

Related posts:

1. CPU load on CentOS Plesk server between 50-100% but processes only add up to around 10%
2. load mod_proxy and mod_proxy_http modules of apache in centos
3. What’re config steps for a low load/RAM CentOS-Apache-MySQL-PHP setup?
4. one php5-cgi process uses 100% cpu
5. Mysql process goes over 100% of CPU usage