3

I've found out the process [sync_supers] running twice, using 100% of cpu each of those.

htop

It was triggered by the user share which is a user to access a share folder used by Samba users. The user share has access only to /home/share.

lucas@arturito:~$ cat /etc/passwd | grep share
share:x:1002:1002:Share,,,:/home/share:/bin/bash
tomcat7:x:115:125::/usr/share/tomcat7:/bin/false

I've never seen that process before and as per the stats I got from Munin, it's been running for an hour or so.

munin

I've found out the process [sync_supers] running twice, using 100% of cpu each of those.

capture of htop

It was triggered by the user share which is a user to access a share folder used by Samba users. The user share has access only to /home/share.

lucas@arturito:~$ cat /etc/passwd | grep share share:x:1002:1002:Share,,,:/home/share:/bin/bash tomcat7:x:115:125::/usr/share/tomcat7:/bin/false

I've never seen that process before and as per the stats I got from Munin, it's been running for an hour or so.

munin stats

What's the sync_supers process? Is my box compromised?

I've ran chkrootkit, rkhunter and debsums and everything seems to be ok ...

I'm running:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:    14.04
Codename:   trusty

Linux arturito 3.13.0-100-generic #147-Ubuntu SMP Tue Oct 18 16:48:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

I killed both the processes and they went away.

I'm kind of concerned about this. Is there anything else that I should do/check?

Thanks!

Lucas

Lucas Aimaretto
  • 1,399
  • 1
  • 22
  • 34
  • 1
    https://serverfault.com/questions/643892/high-cpu-load-on-centos-with-process-sync-supers , quote `The real sync_supers is a kernel thread that does almost nothing. Your system has almost certainly been compromised.` – 123 Jun 21 '17 at 19:55
  • Hi @123. I've read that post. How can I prove that the system has certainly been compromised? As per the post the `[sync_supers]` process has been run by the user `nobody`. The situation is different in my case ... Also, below in that same post, you read: `This "sync_supe" overloading CPU is an Apache (user "nobody") running a bitcoins mill, hard work and use of the resources. The system might have been compromised via 1.3 Apache and Linux kernel <2.6.25`. Is not my case either. Do you have any references that I could read about? Thanks. – Lucas Aimaretto Jun 22 '17 at 14:03
  • 1
    I probably know as much as you pal, only looked it up because I'd never heard of `[sync_supers]` before and was interested as to what it was, just thought I may as well link that as it seemed relevant. – 123 Jun 22 '17 at 15:58

0 Answers0