There is a process taking up 100% CPU on a KVM based server I am running.
This is the output of htop.
PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
22230 adminx 20 0 185M 3468 1600 S 100. 0.5 72h45:33 apache
22232 adminx 20 0 185M 3468 1600 R 100. 0.5 72h45:12 apache
10660 root 20 0 26880 4680 3176 R 0.0 0.6 0:00.11 htop
1061 root 20 0 276M 5796 0 S 0.0 0.8 0:05.59 /usr/lib/snapd/snapd
9529 root 20 0 92796 6916 5992 S 0.7 0.9 0:00.11 sshd: root@pts/3
The process name is apache and the user is adminx. There shouldn't be any apache executeable on the system and the user adminx shouldn't be running it in any case.
The output of strace on the two pids is show below.
strace -p 22230
epoll_wait(7, [], 1024, 204) = 0
epoll_wait(7, [], 1024, 34) = 0
epoll_wait(7, [], 1024, 500) = 0
epoll_wait(7, [], 1024, 465) = 0
epoll_wait(7, [], 1024, 34) = 0
......
strace -p 22232
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
sched_yield() = 0
......
I don't know how the process originated and the server may have been hacked. I have killed the process and I plan on reinstalling the server.
Given something of this nature how to you trace how the process started, if there is no executable by that name? How can the memory image of the executable be captured for analysis, and how can its memory allocations be analyzed?
PS. I found the name of the executable. It seems it is copied to shared memory and deleted.
adminx@gw06 ~ ls -l /proc/10160/exe
lrwxrwxrwx 1 adminx adminx 0 Jun 3 09:22 /proc/10160/exe -> /dev/shm/apache (deleted)
