Ubuntu – Linux ps aux results – wierd processes


of late ive noticed multiple processes that arise looking like this. They amultiply every minute i think. I know their using memory but I dont know what's causing them to appear in the first place.

How can i resolve this and stop them from reappearing again?

www-data  2382  3.0  2.4  91924 12092 pts/1    Sl+  13:18   1:37 ./hlds_i686 -game cstrike +ip +maxplayers 32 +map de
www-data  2391  0.0  0.0  23748   464 ?        Ss   13:18   0:00 SCREEN -d -m ./hlds_run -game cstrike +ip +maxplayer
www-data  2392  0.0  0.0   4008   496 pts/2    Ss+  13:18   0:00 /bin/sh ./hlds_run -game cstrike +ip +maxplayers 32

Best Answer

hlds is the Half Life dedicated server. A server for hosting games.

If you didn't install it, somebody has hacked your server. They are running games off your hosting, using your CPU allotment and bandwidth. Take a backup immediately and talk to your host about fixing this (changing your FTP password may not be enough if they broke in via a dodgy script you're hosting).

Before you restore a backup, make sure as far as you can that everything is updated for the same reason as above. You don't want to let these people back in.

Edit: You might want to be more forensic about this. The person who launched the games appears to have SSHed in at some point (to start the screen process and then hlds) so see if they're still active in a session by running who. If you can see somebody there with an IP not yours, consider talking to your local law enforcement.

Do this after making a backup but before you tell the host. The police will need logs and maybe access - they'll get neither if the host has already nuked everything and backups may not be substantial enough evidence.

Be aware that you may have obligations to close the hole ASAP if you're under contract with the host and/or third parties (PCI-DSS boards) so make sure you're legally able to play the waiting game before you consider it.

If you find an IP address of an attacking party, and you have other logs (web logs, etc) scan those for their IP. You might get really lucky and find the point of intrusion. It's very rare you'll ever get that lucky but every so often when the stars line up and you get a really lazy script kiddie :)