There's a process running on a server I'm using, and lots of people have access to.
When I do top I see it taking up ~99% of the CPU.
with ps aux I can see that the command in question is:
python -c import pty;pty.spawn("bash")
I read the docs and they say
pty.spawn(argv[, master_read[, stdin_read]])
Spawn a process, and connect its controlling terminal with the current process’s standard io. This is often used to baffle programs which insist on reading from the controlling terminal.
The functions master_read and stdin_read should be functions which read from a file descriptor. The defaults try to read 1024 bytes each time they are called.
But I don't understand why someone would do this. Why would someone use a shell to invoke python to spawn a shell? And why is it taking up so much CPU?
Am I missing something or do I need a coffee?
Basically I want to know what this process is actually 'doing' with 99% of the CPU, so I can decide whether to kill it or not (remember, not just me on the box).
A sys-admin I am not. I'm one of 'those' developers who just knows enough to get by.
I'm not really sure how to dig further into this - any ideas?
Edit: Is an exploit the only use of this type of command? Again, lots of people have access to this box. Could it not have a legit purpose? Any way I can differentiate one from the other?
