my server have what i think is a suspicious activity, there is bash process that consume more than 30% cpu when i trace it with lsof -p
it show:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
carcvncgi 39259 root cwd DIR 253,1 4096 813203 /var/www/elasticsearch
carcvncgi 39259 root rtd DIR 253,1 4096 2 /
carcvncgi 39259 root txt REG 253,1 625622 1109822 /usr/bin/carcvncgiw
carcvncgi 39259 root 0u CHR 1,3 0t0 1029 /dev/null
carcvncgi 39259 root 1u CHR 1,3 0t0 1029 /dev/null
carcvncgi 39259 root 2u CHR 1,3 0t0 1029 /dev/null
carcvncgi 39259 root 3u IPv4 36094970 0t0 UDP *:44932
but when i check it with who
it only show :
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/4 182.253.177.249 09:07 6:45 17.35s 0.28s -bash
root pts/5 182.253.177.249 09:25 23:57 1.82s 1.75s iftop
root pts/7 182.253.177.249 09:33 5.00s 0.14s 0.00s w
root pts/0 103:S.0 22:45 9:29m 0.34s 0.27s /bin/bash
three from the top is my ip, the last one i think the provider ip.
is it possible someone accessing my server and hide it from who
command ? is there a way to solve this? and what is carcvncgiw
process as mr.Google doesn't provide clear explanation ?
UPDATE
well, I followed here How do I deal with a compromised server? and try to deal with the server and 'solve the problem', but the question is remain is it possible to hide from who
command and what is the carcvncgiw
process?
note: thanks to the one show me that link, seems i need to purge my server then
UPDATE 2
Result of cat /proc/39259/cmdline
bash
Result of cat /proc/39259/environ
nSHLVL=0OLDPWD=/UPSTART_JOB=lokamedia-elasticTERM=linuxPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/binPWD=/var/www/elasticsearchNLSPATH=/usr/dt/lib/nls/msg/%L/%N.catXFILESEARCHPATH=/usr/dt/app-defaults/%L/Dt
Result of ls -lh /usr/bin/carcvncgiw
-rwxr-xr-x 1 root root 597K Mar 10 00:14 /usr/bin/carcvncgiw
thank you