How can I find out what Zimbra process (specifically "b") is doing?

Question

My Zimbra mail server (8.0.2 Community Edition) recently started to spawn an interesting process called "b".

top - 11:04:44 up 19 days, 18:47,  1 user,  load average: 6.25, 6.38, 5.57
Tasks: 131 total,   2 running, 129 sleeping,   0 stopped,   0 zombie
%Cpu(s): 17.8 us,  4.3 sy, 77.9 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:   4049688 total,  3469008 used,   580680 free,   141496 buffers
KiB Swap:        0 total,        0 used,        0 free,   557404 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
18917 zimbra    20   0  311m 1724  948 S  78.1  0.0  23:03.87 b
18899 zimbra    20   0  311m 1616  856 S  77.1  0.0  23:15.35 b
19119 zimbra    20   0 25168 4656  756 R  43.6  0.1  13:22.86 java
26039 zimbra    20   0 2512m 1.1g  11m S   0.7 28.1 162:24.38 java
    1 root      20   0 24204 1992 1148 S   0.0  0.0   0:04.30 init
    2 root      20   0     0    0    0 S   0.0  0.0   0:00.26 kthreadd
    3 root      20   0     0    0    0 S   0.0  0.0   3:51.87 ksoftirqd/0
    5 root      20   0     0    0    0 S   0.0  0.0   0:00.08 kworker/u:0
    6 root      rt   0     0    0    0 S   0.0  0.0   1:10.28 migration/0
    7 root      rt   0     0    0    0 S   0.0  0.0   0:11.18 watchdog/0
    8 root      rt   0     0    0    0 S   0.0  0.0   1:10.13 migration/1
   10 root      20   0     0    0    0 S   0.0  0.0   4:06.88 ksoftirqd/1
   11 root      rt   0     0    0    0 S   0.0  0.0   0:10.32 watchdog/1
   12 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 cpuset
   13 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 khelper
   14 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kdevtmpfs
   15 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 netns
   16 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kworker/u:1
   17 root      20   0     0    0    0 S   0.0  0.0   0:03.61 sync_supers
   18 root      20   0     0    0    0 S   0.0  0.0   0:00.10 bdi-default
   19 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kintegrityd
   20 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 kblockd
   21 root       0 -20     0    0    0 S   0.0  0.0   0:00.00 ata_sff

I do not seem to be able to find anywhere a list of processes for Zimbra, or an explanation of what they do. In this specific case, should I be worried about a process called "b", and what does the "b" stand for? :D

Can I kill it ?

Try running `ls -l /proc/18899/exe` and seeing where it is located. — Matthew Ife, Dec 28 '13 at 11:18
Type the "c" key to see the entire command line used to launch the process — Dom, Dec 28 '13 at 11:31
After clicking "c" I get - "/var/tmp/b -B -o stratum+tcp://hecks.ddosdev.com:53 -u ilovebig ..... " which makes me think the server has a malware. I manually will kill the process, because it seems to be connected to bitcoin mining. — Cninroh, Dec 28 '13 at 12:18

score 1 · Accepted Answer · answered Dec 29 '13 at 11:13

After clicking "c" I get - "/var/tmp/b -B -o stratum+tcp://hecks.ddosdev.com:53 -u ilovebig > ..... " which makes me think the server has a malware. I manually will kill the process, > because it seems to be connected to bitcoin mining.

As you've said yourself this does indeed seem to be malware.
Interesting to see that it's planted itself under the zimbra user, perhaps a bug or trough bad password use?

Anyways, you might be able to kill the process but you don't know what other malware is hanging around.

My advice would be to re-install the server asap and if possible (depending on your amount of users) export the user data using the client instead of copying /opt/zimbra completely.

ptman · Answer 2 · 2013-12-29T10:50:55.010

0

Try monitoring it using strace or ltrace

E.g.

strace -p $(pgrep b)

edited Dec 29 '13 at 10:50

answered Dec 28 '13 at 11:18

ptman

27,124
2
26
45

Can you provide a more elaborate example ? – Cninroh Dec 28 '13 at 12:18

How can I find out what Zimbra process (specifically "b") is doing?

2 Answers2