Score:0

Unknown process on Centos 7 VPS "sysnetd" using lots of cpu

cn flag

So I cant seem to find any information ANYWHERE on what this process, "sysnetd", does. I've run LSOF etc but nothing seems to provide any info I know what to do with. The /proc/pid folder also doesnt seem to provide any details (that I know what to do with). This is your standard LAMP apache web/mail server

What I do know is I have two totally seperate VPS' with Centos 7 and the process exists on both. However, only on one of them is it using 60-90% cpu at all times and...this is a new issue.

Any help?

lsof command results:

COMMAND  PID USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME
sysnetd 1946 root  cwd    DIR 182,261649     4096       3361 /root
sysnetd 1946 root  rtd    DIR 182,261649     4096          2 /
sysnetd 1946 root  txt    REG 182,261649    34726     120806 /usr/sbin/sysnetd
sysnetd 1946 root  mem    REG 182,261649  2156592     107927 /usr/lib64/libc-2.17.so
sysnetd 1946 root  mem    REG 182,261649   163312     107920 /usr/lib64/ld-2.17.so
sysnetd 1946 root    0r  FIFO       0,10      0t0 3550041065 pipe
sysnetd 1946 root    1w  FIFO       0,10      0t0 3550041066 pipe
sysnetd 1946 root    2w  FIFO       0,10      0t0 3550041066 pipe
sysnetd 1946 root    3u   CHR        1,3      0t0 3550024220 /dev/null
sysnetd 1946 root    4u   CHR        1,3      0t0 3550024220 /dev/null
sysnetd 1946 root    5u   CHR        1,3      0t0 3550024220 /dev/null
user9517 avatar
cn flag
try `yum provides /usr/sbin/sysnetd` to find out which package (if any) it belongs to,
in flag
There are methods to [find out which package a file belongs to](https://stackoverflow.com/questions/1133495/how-do-i-find-which-rpm-package-supplies-a-file-im-looking-for). If it doesn't belong to any package, and you didn't put it there, I'd [consider the server compromised](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server).
Score:0
us flag
Rob

If the executable was installed from a package:

rpm -qf /usr/sbin/sysnetd 

and rpm -qi and rpm -ql on the resulting package name will provide info.

If it wasn't installed from package, it may be something you installed manually or in the worst case, something an intruder left behind.

If the executable is a script, you can simply open it with an editor and check what it does.

When it is a binary file strings /path/to/executable is a quick method to show you the printable characters in that file. Often that will show among others the built-in help and error messages which may explain what the executable does.

cn flag
Thank you for responding! So, I confirmed it is not from a package. It is a binary and the strings command ofcourse pulls up all sorts of random stuff, but nothing that stands out (log files/help/etc). I am starting to suspect the host, and only the host, may have a clue what this is. I have messaged them in hopes they might know. I considered posting the results of the strings command, but its extremely long and not sure it would be acceptable
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.