Results 1 to 8 of 8

Thread: jusxxrsbtm consuming all processor

  1. #1

    Default jusxxrsbtm consuming all processor

    Hi,
    Today I found a process named jusxxrsbtm consuming all the processor;
    after a google search, I haven't been able to find anything about it.
    After running:$ find / | grep jusxxrsbtm
    I found out that apparently it is a service; with the description: LSB jusxxrsbtm.
    When I kill the process, a process named abeotciblz starts that also consumes all the processor.
    I also haven't been able to find anything about this process.

    I literally have no idea what is happening or what to do next.

    Anyone knows what this service is, does and/or how to keep it from using all the processor?
    Thanks in advance to everyone.

  2. #2
    Join Date
    Nov 2016
    Location
    Prague, CZ
    Posts
    39

    Default Re: jusxxrsbtm consuming all processor

    OK, here a couple of things that you can try.

    First, get some information on the process. I'm going to use vim as an example. You would use this weird jusxx.... process.

    Code:
    bash-4.3# ps auxf
    USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    root         1  0.0  0.0  20008  3116 ?        Ss   08:20   0:00 /bin/bash
    root       227  0.1  0.0  27840  6072 ?        T    08:22   0:00 vim
    root       230  0.0  0.0  43516  3448 ?        R+   08:22   0:00 ps auxf
    This tells me that the pid of vim is 227 and it is not being created by another process. If it were, you'd see a little branch icon showing what is running it.

    Code:
    bash-4.3# ls -l /proc/227/exe
    lrwxrwxrwx 1 root root 0 Nov 22 08:25 /proc/227/exe -> /bin/vim
    You would replace 227 with the pid of your process and this will tell you the actual file that it's coming from. Post that here if you still need help.

  3. #3

    Default Re: jusxxrsbtm consuming all processor

    Hi, Tanks jsevans

    So I ran

    Code:
    $ls -l proc/1115/exe
    lrwxrwxrwx 1 root root 0 Nov 22 23:11 /proc/1115/exe -> /bin/jusxxrsbtm
    then killed jusxxrsbtm to test abeotciblz

    Code:
    $ls -l proc/1117/exe 
    lrwxrwxrwx 1 root root 0 Nov 22 23:17 /proc/1117/exe -> /bin/abeotciblz
    I think they are been called at boot?
    And that abeotciblz is just in there in case jusxxrsbtm dies?

    then I tried using:
    $ file /bin/jusxxrsbtm and $ file /bin/abeotciblz
    both files gave me the same output:
    Code:
    ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, not stripped
    Note: I'm using a x64 system with the 4.4.27 kernel

    Also I've noticed that according to htop, both processes seem to cycle though the following commands:

    • cd/etc
    • ls -la
    • pwd
    • sh
    • who
    • whoami
    • bash
    • netstart -antop
    • echo "find"
    • grep "A"
    • id
    • route -n
    • su

    in no apparent order

    What do you think?
    I'm personally starting to believe this might actually be some kind of malware. Although Clamav reports nothing.

  4. #4
    Join Date
    Nov 2016
    Location
    Prague, CZ
    Posts
    39

    Default Re: jusxxrsbtm consuming all processor

    I think you're right. It does sound like some kind of malware. Have you have any weird issues with your files being unavailable or deleted or anything like that?

  5. #5
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,590

    Default Re: jusxxrsbtm consuming all processor

    Clam won't know until it is reported. The fact that those apps show nothing on Google indicates something very new

    try making those files not executable. See what happens. If they still run or change back to executable then there is a third process involved running under root

  6. #6

    Default Re: jusxxrsbtm consuming all processor

    Actually I'm not having any issues with files or programs, other than the computer being sluggish.

    So I went ahead and ran:
    Code:
    $chmod 000 /bin/abeotciblz
    $chmod 000 /bin/jusxxrsbtm
    and rebooted the system.

    jusxxrsbtm and abeotciblz didn't start.
    Unfortunately, now I have another process named rtwsjgivrt that behaves exactly the same as the other two.
    After another check, I discovered that all the executable share the same md5 footprint.

    So, now I'm searching for which might be the program/script/process creating this other programs.
    I really don't want to have to format the drive and restart from scratch.

    Thanks again jsevans and gogalthorp

  7. #7

    Default Re: jusxxrsbtm consuming all processor


    Also I've noticed that according to htop, both processes seem to cycle though the following commands:

    • cd/etc
    • ls -la
    • pwd
    • sh
    • who
    • whoami
    • bash
    • netstart -antop
    • echo "find"
    • grep "A"
    • id
    • route -n
    • su

    in no apparent order

    What do you think?
    I'm personally starting to believe this might actually be some kind of malware. Although Clamav reports nothing.
    There are certainly reasons for suspicion there. Anything repeatedly trying to 'su' is a worry and the 'netstart -antop' and 'route -n' suggests that something is trying to discover its network environment (presumably with non-friendly intent).

    • Do you have a good backup? Maybe a semi-bad backup is better than none.
    • Tried a Live CD (do you get the same sort-of random program names popping up as using all of the processor time)?
    • Tried running something like 'rkhunter' (probably a bit late now but better late than never arguably)?

  8. #8
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,590

    Default Re: jusxxrsbtm consuming all processor

    Sounds more and more like malware or an attempt at it. Are these processes started binary or a script? Try opening in an editor

    But there must be a process creating and starting them

    try

    ps -ejH

    to see the process tree and maybe see what starts/creates them

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •