Hi,
I run the command :
top -c
and I noticed there is a process ./stone running which seemed to take up lots of CPU usage. Anyone know what program is that? Should I be concern about this?
31375 nobody 25 0 564 524 472 R 86.5 0.1 32918m 0 ./stone
18896 nobody 15 0 15460 14M 2916 S 0.4 2.8 1:48 0 /usr/local/apache/bin/httpd -DSSL
17112 nobody 15 0 16432 14M 2928 S 0.2 2.9 21:59 0 /usr/local/apache/bin/httpd -DSSL
4383 nobody 15 0 15464 14M 2916 S 0.2 2.8 5:12 0 /usr/local/apache/bin/httpd -DSSL
Under WHM-> Main >> Server Status >> CPU/Memory/MySQL Usage, it also reported :
Top Process %CPU 81.2 ./stone
running under nobody account.
Have my server been hacked?
Can someone help me troubleshoot this please?
Thanks.
Full Version: High CPU Usage for nobody
Look in the tmp directory and see if there is a file called stone it could be an exploit take a good look and make sure there are no other files there that should not be.
QUOTE (JamesC)
Look in the tmp directory and see if there is a file called stone it could be an exploit take a good look and make sure there are no other files there that should not be.
No, this is no such file.
I ran command :
find / -name stone -print
and it also doesn't return anything.
Erm, kill the process, regardless. I'd suggest making sure you have enable_dl, register_globals & remote_fopen off in php.ini.
enable_dl would allow an external dynamic library (such as stone.so) ... ... register_globals can allow a webhack such as requesting the URL http://somesite/?config=http://othersite/stone might work if your code includes "exec($config)" ... remote_fopen allows access to external files & libraries altogether. HOWEVER ... simply disabling remote_fopen isn't enough to keep the prior two from being a risk.
enable_dl would allow an external dynamic library (such as stone.so) ... ... register_globals can allow a webhack such as requesting the URL http://somesite/?config=http://othersite/stone might work if your code includes "exec($config)" ... remote_fopen allows access to external files & libraries altogether. HOWEVER ... simply disabling remote_fopen isn't enough to keep the prior two from being a risk.
lsof -p 31375
See what the stone process is touching, from the output of that you will probably be able to find where it is stored.
See what the stone process is touching, from the output of that you will probably be able to find where it is stored.
Grab yourself a copy of Nobody Check free at www.webhostgear.com/353.html it will detect, report and automatically kill processes found.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.