./cache.sh?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

./cache.sh?

Karl Auer
An odd one today!

A client has a system that is running a process that shows up in the
process list as "./cache.sh". There is no file named "cache.sh"
anywhere on his system. This process is chewing up most of his CPU. If
stopped, it starts again after a few minutes. It starts on boot, too.

I thnk it's malware, and since this system is showing a few other signs
of compromise my immediate recommendation was to rebuild the system
from scratch, and that's what we'll probably do.

But I'm curious - has anyone seen this before? Google was little help
-there are a zillion "cache" things out there.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ./cache.sh?

Peter Silva
fwiw,  Is this in some kind of high availability cluster?  The first
hit on google is this:

http://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KEY=GHA_redhat_clusters_cache_sh

when you delete it on one node, it might make sense if another
participating node perceives that as damage, and repairs it.  the
later hits on a google search looked even less likely.

quoting from their web site: "InterSystems IRIS is a high-performance,
“cloud-first” platform that scales up and out, and integrates with
other technologies faster."

So I have no clue what it does.

On Tue, Feb 6, 2018 at 11:22 PM, Karl Auer <[hidden email]> wrote:

> An odd one today!
>
> A client has a system that is running a process that shows up in the
> process list as "./cache.sh". There is no file named "cache.sh"
> anywhere on his system. This process is chewing up most of his CPU. If
> stopped, it starts again after a few minutes. It starts on boot, too.
>
> I thnk it's malware, and since this system is showing a few other signs
> of compromise my immediate recommendation was to rebuild the system
> from scratch, and that's what we'll probably do.
>
> But I'm curious - has anyone seen this before? Google was little help
> -there are a zillion "cache" things out there.
>
> Regards, K.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer ([hidden email])
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
> Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
>
>
>
> --
> ubuntu-users mailing list
> [hidden email]
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ./cache.sh?

Duane Whitty
In reply to this post by Karl Auer
On 18-02-07 12:22 AM, Karl Auer wrote:

> An odd one today!
>
> A client has a system that is running a process that shows up in the
> process list as "./cache.sh". There is no file named "cache.sh"
> anywhere on his system. This process is chewing up most of his CPU. If
> stopped, it starts again after a few minutes. It starts on boot, too.
>
> I thnk it's malware, and since this system is showing a few other signs
> of compromise my immediate recommendation was to rebuild the system
> from scratch, and that's what we'll probably do.
>
> But I'm curious - has anyone seen this before? Google was little help
> -there are a zillion "cache" things out there.
>
> Regards, K.
>
That's pretty interesting.  What's $> ps aux |grep cache.sh show?  If
you look in /var/proc/$PID maybe something interesting might be
revealed.  Lots of entries there that could be looked into.

Best Regards,
Duane

--
Duane Whitty
[hidden email]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ./cache.sh?

Paul Smith-2
On Wed, 2018-02-07 at 01:52 -0400, Duane Whitty wrote:
> > A client has a system that is running a process that shows up in
> > the process list as "./cache.sh". There is no file named "cache.sh"
> > anywhere on his system. This process is chewing up most of his CPU.
> > If stopped, it starts again after a few minutes. It starts on boot,
> > too.

If you know the PID of the running process, you can look in /proc/<PID>
and find out all sorts of useful information including the actual
executable (the exe symlink) which isn't changeable like the "ps"
output is, what files it has open (in the fd directory), etc.

You can also use ss (or netstat if you're old-school) to see what
network sockets are opened by which processes.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ./cache.sh?

Duane Whitty
On 18-02-07 02:12 AM, Paul Smith wrote:

> On Wed, 2018-02-07 at 01:52 -0400, Duane Whitty wrote:
>>> A client has a system that is running a process that shows up in
>>> the process list as "./cache.sh". There is no file named "cache.sh"
>>> anywhere on his system. This process is chewing up most of his CPU.
>>> If stopped, it starts again after a few minutes. It starts on boot,
>>> too.
>
> If you know the PID of the running process, you can look in /proc/<PID>
> and find out all sorts of useful information including the actual
> executable (the exe symlink) which isn't changeable like the "ps"
> output is, what files it has open (in the fd directory), etc.
>
> You can also use ss (or netstat if you're old-school) to see what
> network sockets are opened by which processes.
>
Yes my bad, not /var/proc/<PID> but rather /proc/<PID>.  Nice catch Mr.
Smith ;-)

Best Regards,
Duane

--
Duane Whitty
[hidden email]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users