Results 1 to 7 of 7
  1. #1

    Suspicious process 'duy'

    Please assist..

    We had a process by the name of 'duy' running in our cpanel server and causing a very high consumption of bandwidth at 66Mbps/sec.

    The bandwidth usage went back to normal after the processes weere being killed.

    We tried to find for a matching file with 'duy' but there were no results.

    Any idea?

  2. #2
    Join Date
    Jun 2003
    World Wide Web
    this process looks suspicious....

    please check the output of the command

    ps auxf | grep duy
    You will get the complete process tree. using the above command. - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  3. #3
    Join Date
    Mar 2003
    And it is time to evaluate your server.

    You need to check your whole system for possible trojans also.
    Specially 4 You
    JoneSolutions.Com ( Jones.Solutions ) is on the net 24/7 providing stable and reliable web hosting solutions and services since 2001

  4. #4
    Join Date
    Jul 2005
    New Jersey, US
    That defintely sounds like a malicious process based on the amount of bandwidth it is using. Trace the process before killing it. Try to get the path or username it is coming from. You will also need to do a general security check and hardening (ie, start with firewall, modsecurity, etc).
    PlatinumServerManagement (also known as PSM)
    The OLDEST and LARGEST and MOST TRUSTED server management provider in the USA, with 15+ employees and growing!
    Providing quality support for OVER 18 years! Currently supporting over 3,000+ servers monthly! Proud member of the NJ BBB & Chamber of Commerce & Authorized cPanel Partner.

  5. #5
    Join Date
    Aug 2006
    Ashburn VA, San Diego CA
    Your server has been hacked and compromised. Time for a full security would be best off by hiring a company like platinumservermanagement or switching to a managed provider.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  6. #6
    Join Date
    Apr 2003
    A quick command that will give you some ideas as well as a place to look is lsof

    lsof -p PID |more

    It won't work every time but works a most times, I agree something bad was obviously going on. Of course you have to run the command while the process is running.
    John W, CISSP, C|EH
    MS Information Security and Assurance - Server Administration and Security - Managed VPS and Dedicated Servers with VIP Service

  7. #7
    Join Date
    Oct 2005
    Austin, TX
    Naw, I'd just reformat... it's possible once you killed it, it alerted them, and they went and grabed a rootkit.. then your screwed good luck finding it.
    Cody McLain
    Founder of PacificHost / AptHost

Similar Threads

  1. CSF - Suspicious process - wp-cron.php
    By m_abdelfattah in forum Hosting Security and Technology
    Replies: 11
    Last Post: 10-11-2008, 06:04 PM
  2. WHM emails.. Suspicious process running under user XXXX..
    By webuser00 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-29-2008, 09:08 PM
  3. PRM(Process Resource Monitor) kills apache when kill process
    By IKillBill in forum Hosting Security and Technology
    Replies: 4
    Last Post: 11-12-2005, 10:02 AM
  4. Replies: 2
    Last Post: 10-29-2004, 09:57 AM
  5. 10 ($15) 3 Process Shells (1 1000 User IRCd Process allowed!)
    By a.harris in forum Shared Hosting Offers
    Replies: 0
    Last Post: 03-24-2003, 03:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts