[nmglug] unknown processes, sh -i

Andres Paglayan andres at paglayan.com
Wed Feb 7 11:32:10 PST 2007 

someone running your bash shell interactively?
SYN_SENT has to do with scanning

On  7, 2007, at 12:20 PM, Jason Schaefer wrote:

> This process has started twice in the last month. It takes 100% of  
> my cpu and netstat shows its connected to a hosting company in  
> Italy (serverdedicati.seflow.net). Apache has nothing in the logs  
> regarding this! Has anyone else seen this sh -i? Anything I might  
> be missing?
>
> This is what netstat -patn shows:
> tcp        0      0 10.2.2.2:37924          213.92.118.223:49153  
> ESTABLISHED12780/sh -i
> tcp        0      0 10.2.2.2:37923          213.92.118.223:49153  
> ESTABLISHED12761/sh -i
> tcp        0      0 10.2.2.2:37906          213.92.118.223:49153  
> ESTABLISHED13122/sh -i
> tcp        0      1 10.2.2.2:33807          213.92.118.223:49153  
> SYN_SENT   13449/sh -i
>
> This is what ps aux |grep www-data shows:
> USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME  
> COMMAND
> www-data 19198  0.0  0.2  24120  1784 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 19199  0.0  0.2  24120  2028 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 19200  0.0  0.2  24204  1796 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 19201  0.0  0.2  24232  1792 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 19202  0.0  0.2  24228  1776 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 23276  0.0  0.2  24120  2188 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 26063  0.0  0.2  24236  1768 ?        SN   Feb04   0:00 / 
> usr/sbin/apache2 -k start -DSSL
> www-data 12761  8.9  0.2   4820  2320 ?        RN   Feb05 218:42 sh -i
> www-data 12780 27.1  0.2   4824  2312 ?        RN   Feb05 659:30 sh -i
> www-data 13122 26.4  0.2   4828  2320 ?        RN   Feb05 642:09 sh -i
> www-data 13449 18.9  0.2   4828  2308 ?        SN   Feb05 457:57 sh -i
>
>
> This is what top shows:
> 13122 www-data  35  10  4828 2320  972 R 10.7  0.3 642:12.92 perl
> 12761 www-data  35  10  4820 2320  976 R  9.7  0.3 218:45.64 perl
> 12780 www-data  35  10  4824 2312  976 R  9.4  0.3 659:33.24 perl
>
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug

More information about the nmglug mailing list