Hi,
Today I found a process named jusxxrsbtm consuming all the processor;
after a google search, I haven’t been able to find anything about it.
After running:$ find / | grep jusxxrsbtm
I found out that apparently it is a service; with the description: LSB jusxxrsbtm.
When I kill the process, a process named abeotciblz starts that also consumes all the processor.
I also haven’t been able to find anything about this process.
I literally have no idea what is happening or what to do next.
Anyone knows what this service is, does and/or how to keep it from using all the processor?
Thanks in advance to everyone.
First, get some information on the process. I’m going to use vim as an example. You would use this weird jusxx… process.
bash-4.3# ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 20008 3116 ? Ss 08:20 0:00 /bin/bash
root 227 0.1 0.0 27840 6072 ? T 08:22 0:00 vim
root 230 0.0 0.0 43516 3448 ? R+ 08:22 0:00 ps auxf
This tells me that the pid of vim is 227 and it is not being created by another process. If it were, you’d see a little branch icon showing what is running it.
bash-4.3# ls -l /proc/227/exe
lrwxrwxrwx 1 root root 0 Nov 22 08:25 /proc/227/exe -> /bin/vim
You would replace 227 with the pid of your process and this will tell you the actual file that it’s coming from. Post that here if you still need help.
I think you’re right. It does sound like some kind of malware. Have you have any weird issues with your files being unavailable or deleted or anything like that?
Clam won’t know until it is reported. The fact that those apps show nothing on Google indicates something very new
try making those files not executable. See what happens. If they still run or change back to executable then there is a third process involved running under root
jusxxrsbtm and abeotciblz didn’t start.
Unfortunately, now I have another process named rtwsjgivrt that behaves exactly the same as the other two.
After another check, I discovered that all the executable share the same md5 footprint.
So, now I’m searching for which might be the program/script/process creating this other programs.
I really don’t want to have to format the drive and restart from scratch.
Also I’ve noticed that according to htop, both processes seem to cycle though the following commands:
cd/etc
ls -la
pwd
sh
who
whoami
bash
netstart -antop
echo “find”
grep “A”
id
route -n
su
in no apparent order
What do you think?
I’m personally starting to believe this might actually be some kind of malware. Although Clamav reports nothing.
There are certainly reasons for suspicion there. Anything repeatedly trying to ‘su’ is a worry and the ‘netstart -antop’ and ‘route -n’ suggests that something is trying to discover its network environment (presumably with non-friendly intent).
Do you have a good backup? Maybe a semi-bad backup is better than none.
Tried a Live CD (do you get the same sort-of random program names popping up as using all of the processor time)?
Tried running something like ‘rkhunter’ (probably a bit late now but better late than never arguably)?
