Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


b26h - what is this? eating my cpu
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

b26h - what is this? eating my cpu

JohnRoeJohnRoe Member

As you can see in image above, b26h process are eating my cpu all the time.. is there anyone know what is it? I googled but no luck..

This is on vps so I need to know what is thins and should I terminate it?

«1

Comments

  • CoreyCorey Member

    Press C in top and if you are lucky it will show you the path of the command. Also check the bash history of all users and make sure someone didn't compromise your machine and run that.

  • netomxnetomx Moderator, Veteran

    look into /tmp just in case

    also, check your bash history

  • JohnRoeJohnRoe Member

    It is a virus??

    guest what??? maybe right. it is a virus.. I also found a process named b26

    I google about it and found http://superuser.com/questions/695876/is-root-b26-a-ddos-process

    I shutdown my server and planned to make clean install..

    according to the forum, it is a ddosing process.. no wonder my vps used about 700GB in less 20 days.. I am hosting a static website. hard to reach even 3GB/month bandwidth..

  • Your top screenshot shows that process has only taken up 5 seconds of cpu time. Does the process persist or is it re-spawned often? Does the PID change?

  • iceTwyiceTwy Member

    @psycholyzern said:
    according to the forum, it is a ddosing process.. no wonder my vps used about 700GB in less 20 days.. I am hosting a static website. hard to reach even 3GB/month bandwidth..

    @NodePing said:
    Your top screenshot shows that process has only taken up 5 seconds of cpu time. Does the process persist or is it re-spawned often? Does the PID change?

    According to the first quote, I'd say that the attackers run that process (b26h) on and off; since the server has pretty much been turned into a botnet, the b26/b26h process only starts DDoSing when needed and only for a certain amount of time. Hence the short usage time.

  • JohnRoeJohnRoe Member
    edited May 2014

    @NodePing said:
    Your top screenshot shows that process has only taken up 5 seconds of cpu time. Does the process persist or is it re-spawned often? Does the PID change?

    here another snapshot

    its id changed..

    I boot up my server and found b26 still running. It wil run for a few milisecond and will gone.. and b26h also running again..

    EDIT: this is b26 snapshot its id also are changing

  • Did you just run clamav now? Or do you have it to always monitor?

  • JohnRoeJohnRoe Member

    @hostnoob said:
    Did you just run clamav now? Or do you have it to always monitor?

    It is always run because I use this server for website and mail

  • JohnRoeJohnRoe Member

    @iceTwy said:

    my root accss has been compromised?

  • I wonder why it didn't pick it up, but it looks like it's definitely used for DDoS attacks

    http://superuser.com/questions/695876/is-root-b26-a-ddos-process

    I would shut it off or block outbound data (if you can) for now until you sort it

  • JohnRoeJohnRoe Member

    b26 and b26h are located in /root/

    I deleted them..

  • JohnRoeJohnRoe Member

    @hostnoob said:
    I wonder why it didn't pick it up, but it looks like it's definitely used for DDoS attacks

    http://superuser.com/questions/695876/is-root-b26-a-ddos-process

    I would shut it off or block outbound data (if you can) for now until you sort it

    yeah.. 700gb bandwidth used.. I never use bandwidth that high

  • earlearl Member

    Just wipe the VPS and you should use keys and disable password based logins..

    http://www.howtoforge.com/ssh_key_based_logins_putty

    you should also check your local computer and scan for key logger viruses like ZEUS.. Malwarebytes is pretty good.

  • iceTwyiceTwy Member
    edited May 2014

    @psycholyzern said:
    my root accss has been compromised?

    Yes, it most likely has been compromised. If you're finding DDoS scripts in your /root/ folder, then...

    Something's fucky

    Thanked by 1Magiobiwan
  • netomxnetomx Moderator, Veteran

    What panel did you use?

  • @netomx said:
    What panel did you use?

    I'm sure some not updated panel, too lazy for a simple apt-get upgrade/pacman -Syu/yum update or whatever :/

  • edited May 2014

    Any list in the # crontab -e, or something weird at /etc/init.d, or maybe something run by supervisord

    And maybe some weird last login IP?

  • JohnRoeJohnRoe Member

    @netomx said:
    What panel did you use?

    Im using virtualmin

    @TheRedFox said:
    I'm sure some not updated panel, too lazy for a simple apt-get upgrade/pacman -Syu/yum update or whatever :/

    who you meant for?? I installed virtualmin about a week before on a fresh server.. and I always keep my servers uptodate

  • JohnRoeJohnRoe Member

    @ErawanArifNugroho said:
    Any list in the # crontab -e,

    only 3 lines of webmin related

    or something weird at /etc/init.d,

    or maybe something run by supervisord
    And maybe some weird last login IP?

    I checked /var/log/auth.log and found this.

    too many of them.. then it stop.. I scroll for a few pages and found this

    different ip.. but still from CHINA.
    There also lot of same log from ip 42.62.17.250
    I scroll for a few pages more and found this


    bruteforce????

  • JohnRoeJohnRoe Member

    I deleted b26 and b26h from my server and changed my root password alphabet+numeric+symbols.

    but when I checked again today, both fle exists and the process are up again.. damn it..

  • Check $HOME/.ssh/ and /etc/passwd for unknown authorized_keys and user.

    Install fail2ban or other firewall. Hope it helps.

  • petrispetris Member

    @psycholyzern said:
    I deleted b26 and b26h from my server and changed my root password alphabet+numeric+symbols.

    but when I checked again today, both fle exists and the process are up again.. damn it..

    You should take the advice of others here and wipe + reinstall. Your VPS was compromised and there's no telling what they've done to it, including adding backdoors to regain access.

    Thanked by 3netomx howardsl2 Scion
  • NanoG6NanoG6 Member

    changing default ssh port is a must. At least it will reduce brute force attack.

  • JohnRoeJohnRoe Member

    @petris said:
    You should take the advice of others here and wipe + reinstall. Your VPS was compromised and there's no telling what they've done to it, including adding backdoors to regain access.

    Im reinstalling it now.. Im not to afraid because there are no sensitive data in this server.. I just use it to host a website with only static pages.
    thanks for your concern.

    @nullnull said:
    Check $HOME/.ssh/ and /etc/passwd for unknown authorized_keys and user.

    Install fail2ban or other firewall. Hope it helps.

    Now i realized how important tighten server securty

  • soulchiefsoulchief Member
    edited May 2014

    At the very minimum, you should change the SSH port and create a new user then disable root login.

    Setup fail2ban as well.

  • VPNVPN Member

    @soulchief said:
    At the very minimum, you should change the SSH port and create a new user then disable root login.

    Or change:

    PermitRootLogin               yes

    To:

    PermitRootLogin               without-password

    In the ssh_config and then setup SSH keys for root.

  • @psycholyzern what steps do you take on your VPS after a fresh install?

  • JohnRoeJohnRoe Member

    @hostnoob said:
    psycholyzern what steps do you take on your VPS after a fresh install?

    I got some vpses.. the other vps, I just change ssh port... but for this vps, I've done nothing..

    Its my fault didnt take any precationary steps.. but, it is because I didnt hosted any sensitive files. just hobby.

Sign In or Register to comment.