0

Killing these processes made the server respond as normal ... again. So what were these processes doing, how can this be avoided in future?

ubuntu@ip-172-16-0-150:~$ ps aux | grep owksvbmS
jenkins  10873  0.0  0.0  23172   496 ?        Ss   01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10875  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10876  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10877  0.0  0.0  23172   496 ?        S    01:22   0:09 ./var/lib/jenkins/owksvbmS
jenkins  10878  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10879  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10880  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10881  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10883  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  10884  0.0  0.0  23172   496 ?        S    01:22   0:00 ./var/lib/jenkins/owksvbmS
jenkins  19874  0.0  0.0  23172   496 ?        S    10:58   0:00 ./var/lib/jenkins/owksvbmS
jenkins  19875 99.5  0.0  23172   496 ?        R    10:58   1:11 ./var/lib/jenkins/owksvbmS
Anuvrat Parashar
  • 101
  • 2

2 Answers2

1

Most probably you Jenkins was compromised. Run lsof -i to see where this binary is connecting to ... most probably it will be some Chinese IP. Lookup for other binaries (+x) within same directory.

a_z
  • 41
  • 3
0

The best way to find out what a process is doing is to attach to the process by running strace -p PID and see what it does. To see the files that are opened by the process you can run lsof -p PID. This should give you a good idea on what the processes are doing.

Mugurel
  • 903
  • 1
  • 9
  • 17