2

How can I get more information than what top shows me about a process?

I currently have a process that displays as j and has the CPU running at +2400%. Searching for j yields no results.

Here's an example of the top output:

PID  USER  PR  NI    VIRT    RES    SHR S  %CPU %MEM   TIME+     COMMAND                                                                             
1722 root  20   0 2118996  57076   1148 S  2488  0.2   43934:45  j

This is being run on CentOS Linux release 7.2.1511 (Core) using 2 x Intel Xeon E5-2660v3 with 2.60 GHz.

ls -l /proc/1722/exe gives me:

lrwxrwxrwx 1 root root 0 Mar  3 17:13 /proc/1722/exe -> /usr/games/j

ls -lH /proc/1722/exe gives me:

-rwxr-xr-x 1 root root 313496 Dec 29 09:58 /proc/1722/exe
chris85
  • 143
  • @kemotep I know the CPU display can be above 100% (e.g. mine is at +2500 right now). I need to identify what the process is doing, or what it is. How can I get more information about it? – chris85 Mar 04 '18 at 21:58
  • have you tried using ps? ps -p $PID should tell you a little more. You will need to update your post to include more information such as what your Operating System is, if reporting that you have 24+ cores is wrong, etc. – kemotep Mar 04 '18 at 22:09
  • @kemotep Yes, the ps -p showed almost the same info as top. 1722 ? 31-02:32:37 j I've updated the question. The server has 20 cores. – chris85 Mar 04 '18 at 22:16
  • 2
    What does ls -l /proc/1722/exe show? How about ls -lH /proc/1722/exe? – Stephen Kitt Mar 04 '18 at 22:18
  • 2
    For a start, /proc/1722/exe will point to the j executable. /proc/1722/cwd will point to the working directory of the process. /proc/1722/cmdline will give the full command line (as NULL-separated tokens). – user4556274 Mar 04 '18 at 22:19
  • 1
    @chris85, when you get requests for more information, please edit your question to include your response, rather than answering in comments. Is that the full output from your ls -l /proc/1722.exe? No symlink target -> ... ? – user4556274 Mar 04 '18 at 22:24
  • I read this question as being about what the process is, not the mechanics of using top or ps... – Stephen Kitt Mar 05 '18 at 19:03

1 Answers1

6

According to VirSCAN, this is a miner, which is consistent with the CPU usage you’re seeing. Its presence might indicate that your system has been compromised, the other option being that its users aren’t trustworthy; in any case you should probably stop the system, image the disk if you want to keep evidence or if you need any of the data stored there, and re-install.

See How do I deal with a compromised server? on Server Fault.

Stephen Kitt
  • 434,908