Apache process con.shs using 100% load on CentOS. What is it?

apache-2.2 centos high-load

As a bit of background, it seems that our server got infected with something and is being used to open a ton of TCP connections over a large range if IPs. I'm halfway through trying to track down how our server got infected now; my tale of woe has been outlined at 398639 for anyone who wants some additional information.

The current issue is I've found an Apache command "con.shs" that is routinely taking up 100% of our CPU (it's definitely possible it's related to our server compromise).

My question is if anyone knew what "con.shs" is and why it's running at 100%? No Google search has returned anything that might help.

We're running Centos 5.7 Final, and Apache 2.2.3 (with PHP and MySQL).


con.shs could just be a random name the malware picks. Have you tried inspecting the process?

Use pgrep con.shs to find the list of PIDs and inspect the /proc/<pid>/ directory - look at details such as exe (what the executable is - unfortunately, they delete it sometimes) and perhaps cwd (what the working directory of the script is - in my experience, they don't bother running it from somewhere like /tmp). Other files in there will be useful too, such as cmdline.

This should help you track it down, see what it's doing, and prevent it from coming back.

Related

Postfix intermittent lookup failures
shared hosting with malware, .htaccess file gets modified every 2 hours or so
How to start Solr automatically?
Getting the Facebook like/share count for a given URL
Calling python from a c++ program for distribution
How to get a stack trace for C++ using gcc with line number information?
Android how to create runtime thumbnail
How to force C# .net app to run only one instance in Windows? [duplicate]
How to set viewport meta for iPhone that handles rotation properly?
Publish an Android library to Maven with aar and source jar
How to find the cause of a malloc "double free" error?
Simple URL GET/POST function in Python