As a bit of background, it seems that our server got infected with something and is being used to open a ton of TCP connections over a large range if IPs. I’m halfway through trying to track down how our server got infected now; my tale of woe has been outlined at 398639 for anyone who wants some additional information.
The current issue is I’ve found an Apache command “con.shs” that is routinely taking up 100% of our CPU (it’s definitely possible it’s related to our server compromise).
My question is if anyone knew what “con.shs” is and why it’s running at 100%? No Google search has returned anything that might help.
We’re running Centos 5.7 Final, and Apache 2.2.3 (with PHP and MySQL).
con.shs could just be a random name the malware picks. Have you tried inspecting the process?
pgrep con.shs to find the list of PIDs and inspect the
/proc/<pid>/ directory – look at details such as
exe (what the executable is – unfortunately, they delete it sometimes) and perhaps
cwd (what the working directory of the script is – in my experience, they don’t bother running it from somewhere like /tmp). Other files in there will be useful too, such as
This should help you track it down, see what it’s doing, and prevent it from coming back.
Leave a comment
- SCP transfer only modified files
- How can I automate clearing and resetting a Linux user’s home directory to a default?
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?