Antsle Forum

Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more. 

Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked. 

You need to log in to create posts and topics.

python process under backup user

So today I noticed on my Antsle "python" running (no parameters I can see) under the user "backup" (which I don't recall creating).

It is using 6 of my 16 CPUs according to top (all 6 pegged at 100%)

 

I'm not doing a backup at this time (via Antman).

Anyone else see something like this?

If I kill it, it starts up immediately.

If I restart the antsle it starts up immeditately.

I su'd to the backup user and can't tell how it's starting.

It is weird that under backup's home dir there's this dir: /home/backup/.ssh/.python

That contains 1 file ".python" that is some kind of binary or something (vi'ing it shows gibberish, but does start with "ELF" at the beginning).

Anyone else see this?

This is on an Antsle One XD

 

OK so maybe I created the backup user... (can't actually remember).

Maybe I got hack-ed somehow...  My ssh server is accessible via the internet (I left it port 22 since it's not hard to scan ports to find non-standard ones).  But maybe I had an easy password for the backup user?

Anywho, I disabled the backup user (commented out its line in /etc/passwd) and killed the python process.

It hasn't come back.

Security lesson #347

I think I'll remove ssh-ability from all users and rely on keys.

@lancem I ran this by one of our devs and he thinks it's possible you did get hacked if you left that port open.

Yes.  After this happened, I restricted my logins to ssh keys only.

 

Thanks

powered by proof factor - increase conversions with social proof notifications