Apache process con.shs using 100% load on CentOS. What is it?
As a bit of background, it seems that our server got infected with something and is being used to open a ton of TCP connections over a large range if IPs. I'm halfway through trying to track down how our server got infected now; my tale of woe has been outlined at 398639 for anyone who wants some additional information.
The current issue is I've found an Apache command "con.shs" that is routinely taking up 100% of our CPU (it's definitely possible it's related to our server compromise).
My question is if anyone knew what "con.shs" is and why it's running at 100%? No Google search has returned anything that might help.
We're running Centos 5.7 Final, and Apache 2.2.3 (with PHP and MySQL).
con.shs
could just be a random name the malware picks. Have you tried inspecting the process?
Use pgrep con.shs
to find the list of PIDs and inspect the /proc/<pid>/
directory - look at details such as exe
(what the executable is - unfortunately, they delete it sometimes) and perhaps cwd
(what the working directory of the script is - in my experience, they don't bother running it from somewhere like /tmp). Other files in there will be useful too, such as cmdline
.
This should help you track it down, see what it's doing, and prevent it from coming back.