I can't understand why root user take huge CPU load, since there is no special processes running.
top -c
Asked
Active
Viewed 1,851 times
1 Answers
6
If your company has a breach response process, I would invoke that now.
Otherwise:
This looks potentially malicious, I would recommend looking at it closer in /proc.
With a root privilege shell, either via su or sudo -s, change into the directory /proc/{pid}. Changing {pid} for the pid shown by top, 30530 in this case.
There are many things to look at to get a clue about this process, here are a few:
exe : link to executable that started this process. # readlink -f exe
cmdline : command line that started this process. # cat cmdline | tr \\0 \\n
environ : environment variables in this process. # cat environ | tr \\0 \\n
fd : directory of links to open files and sockets.
Unless you can find a reason it's legitimate, I'd kill it via kill -9 {pid} and investigate as a potential breach.
virullius
- 1,118