Massive Load Caused By Smartvd

Home » CentOS » Massive Load Caused By Smartvd
CentOS 7 Comments

Hey all,

I noticed that my puppet server running CentOS 6.5 was acting a little pokey.

So I logged in and did what well just about anyone would’ve done. And ran the uptime command to have a look at the load. And it was astonishingly high!

[root@puppet:~] #uptime
21:28:01 up 1:26, 3 users, load average: 107.37, 72.06, 75.52

So then I had a look at top and saw a LOT of processes by the name of smartvd.

7332 root 20 0 423m 1808 0 S 5.6 0.1 0:49.30 smarvtd
5469 root 20 0 423m 1804 0 S 4.6 0.1 0:49.55 smarvtd
2042 root 20 0 423m 1804 0 S 3.7 0.1 0:49.66 smarvtd
2421 root 20 0 423m 1808 0 S 3.7 0.1 0:47.62 smarvtd
3081 root 20 0 423m 1808 0 S 3.7 0.1 0:47.08 smarvtd
3366 root 20 0 423m 1804 0 S 3.7 0.1 0:47.87 smarvtd
3568 root 20 0 423m 1808 0 S 3.7 0.1 0:48.94 smarvtd
3971 root 20 0 423m 1812 0 S 3.7 0.1 0:49.18 smarvtd
4264 root 20 0 423m 1812 0 S 3.7 0.1 0:48.33 smarvtd
4585 root 20 0 423m 1812 0 S 3.7 0.1 0:48.44 smarvtd
5277 root 20 0 423m 1808 0 S 3.7 0.1 0:48.13 smarvtd
6160 root 20 0 423m 1812 0 S 3.7 0.1 0:49.33 smarvtd
6441 root 20 0 423m 1808 0 S 3.7 0.1 0:48.17 smarvtd
6746 root 20 0 423m 1804 0 S 3.7 0.1 0:49.60 smarvtd
7612 root 20 0 423m 1812 0 S 3.7 0.1 0:48.97 smarvtd
7919 root 20 0 423m 1808 0 S 3.7 0.1 0:47.33 smarvtd
8202 root 20 0 423m 1812 0 S 3.7 0.1 0:49.67 smarvtd
26526 root 20 0 423m 1812 0 S 3.7 0.1 1:22.17 whitptabil
2747 root 20 0 423m 1812 0 S 2.8 0.1 0:48.41 smarvtd
4952 root 20 0 423m 1812 0 S 2.8 0.1 0:48.43 smarvtd
5878 root 20 0 423m 1808 0 S 2.8 0.1 0:48.02 smarvtd
7048 root 20 0 423m 1808 0 S 2.8 0.1 0:48.51 smarvtd

So my question to you is what the HELL is smartvd ? Seems like a virus to me. And of course how do I get rid of it?

Also curious what whitptabil is and how to get rid of it.

I tried doing a search for both:

[root@puppet:~] #rpm -qa | grep smartvd
[root@puppet:~] #

[root@puppet:~] #find / -name smartvd
[root@puppet:~] #

[root@puppet:~] #rpm -qa | grep whitptabil
[root@puppet:~] #find / -name whitptabil
/etc/whitptabil
[root@puppet:~] #

At least I found a file associated with the latter.

Really really curious here, guys. What do y’all think???

Thanks Tim

7 thoughts on - Massive Load Caused By Smartvd

  • A quick Google for “smarvtd” returns results for both the smarvtd and whitptabil and they appear to be potential malware. Does a PS faux | grep smarvtd return a full path to the file that is running? How about top -c?


    Sent from Mailbox

  • Also please note the spelling of the first process. Appears your last grep was for “smartvd” when it is actually “smarvtd”


    Sent from Mailbox

  • Am 04.10.2014 um 03:34 schrieb Tim Dunphy:

    [ … ]

    Take the system off. Save the content for later forensics and then reinstall the system from scratch. What’s running is malware

    http://v.virscan.org/Backdoor.Linux.Mayday.f.html

    It is typical for such backdoors to camouflage as programs with a known name: whitptabil versus whiptail and smarvtd versus smartd.

    Alexander

  • yeah it does..

    [root@puppet:~] #ps faux | grep smarvtd root 18194 0.0 0.0 103244 836 pts/2 S+ 11:05 0:00 |
    \_ grep smarvtd root 28855 0.0 0.1 433824 1688 ? Ssl Oct03 0:15
    /tmp/smarvtd root 5923 0.0 0.1 433824 1684 ? Ssl Oct03 0:12
    /tmp/smarvtd root 13621 0.0 0.1 433824 1680 ? Ssl 00:00 0:11
    /tmp/smarvtd root 6097 0.0 0.1 433824 1680 ? Ssl 01:00 0:09
    /tmp/smarvtd root 1462 0.0 0.1 433824 1684 ? Ssl 02:00 0:08
    /tmp/smarvtd root 23182 0.0 0.1 433824 1684 ? Ssl 03:00 0:08
    /tmp/smarvtd root 18879 0.0 0.1 433824 1688 ? Ssl 04:00 0:06
    /tmp/smarvtd root 11139 0.0 0.1 433824 1688 ? Ssl 05:00 0:05
    /tmp/smarvtd root 11167 0.0 0.1 433824 1688 ? Ssl 06:00 0:04
    /tmp/smarvtd root 16443 0.0 0.1 433824 1680 ? Ssl 07:00 0:03
    /tmp/smarvtd root 15361 0.0 0.1 433824 1680 ? Ssl 08:00 0:02
    /tmp/smarvtd root 13379 0.0 0.1 433824 1680 ? Ssl 09:00 0:01
    /tmp/smarvtd root 11599 0.0 0.1 433824 1684 ? Ssl 10:00 0:00
    /tmp/smarvtd root 12731 0.0 0.1 433824 1684 ? Ssl 11:00 0:00
    /tmp/smarvtd

    Thanks for the tip, I’ll have to remember that!

    I think I’ll image this machine for later study. Then wipe it and start again!
    Thanks


    GPG me!!

    gpg –keyserver pool.sks-keyservers.net –recv-keys F186197B

  • Since this was your puppet server, you might also want to check to see if the intrusion has spread to your other machines, it’s possible the attacker didn’t notice or that the attack was fully automated, but you should read through the puppet configs and see if there are any commands being distributed to the other machines that you didn’t put there. You don’t want to play whack-a-mole chasing this out of your system, you want to get it all in one shot.

  • Thanks, I’m doing this now!

    Tim


    GPG me!!

    gpg –keyserver pool.sks-keyservers.net –recv-keys F186197B

  • The thing is… you need to find how it got in and patch, otherwise it will be back on your brand new server…

    JD