A strange process called “watchbog” is hogging my entire CPU and I can't get rid of it [on hold]
up vote
0
down vote
favorite
This process that has come out of nowhere is hogging my CPU and I have no clue what it is or how to get rid of it. You can see in the image below what it's doing:
What is this process? How can I get rid of it?
Every time I kill the process, it spawns back up within a minute or less.
linux debian malware
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl 2 days ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl
|
show 9 more comments
up vote
0
down vote
favorite
This process that has come out of nowhere is hogging my CPU and I have no clue what it is or how to get rid of it. You can see in the image below what it's doing:
What is this process? How can I get rid of it?
Every time I kill the process, it spawns back up within a minute or less.
linux debian malware
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl 2 days ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl
1
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
1
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
2
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago
|
show 9 more comments
up vote
0
down vote
favorite
up vote
0
down vote
favorite
This process that has come out of nowhere is hogging my CPU and I have no clue what it is or how to get rid of it. You can see in the image below what it's doing:
What is this process? How can I get rid of it?
Every time I kill the process, it spawns back up within a minute or less.
linux debian malware
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
This process that has come out of nowhere is hogging my CPU and I have no clue what it is or how to get rid of it. You can see in the image below what it's doing:
What is this process? How can I get rid of it?
Every time I kill the process, it spawns back up within a minute or less.
linux debian malware
linux debian malware
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Tony Friz
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Tony Friz
1042
asked 2 days ago
Tony Friz
1042
1042
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Tony Friz is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
put on hold as off-topic by JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl 2 days ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl
put on hold as off-topic by JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl 2 days ago
This question appears to be off-topic. The users who voted to close gave this specific reason:
- "This question has been posted on multiple sites. Cross-posting is strongly discouraged; see the help center and community FAQ for more information." – JdeBP, ilkkachu, Sparhawk, GAD3R, RalfFriedl
1
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
1
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
2
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago
|
show 9 more comments
1
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
1
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
2
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago
1
1
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
1
1
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
2
2
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago
|
show 9 more comments
1 Answer
1
active
oldest
votes
up vote
1
down vote
Looks like you have a virus or worm of some kind. Can't find anything about it on the web so you might have close to the first case. It is trying to masquerade as watchdog which is an anti-virus and anti-mailware process. So I would call a major antivirus company and make them aware, send them a copy. Do the same for your distro's watchdog maintainer. This can be found in the package information for watchdog. The only thing I can suggest to try to remove this is check all of your startup lists and check for changes. Look for the process script. Like, whereis watchbog, if it gives you the location of the binary, write it down. Boot to a live cd/usb and then find that file on your disk and remove it. Also look through your startups again, also turn your firewall on and set it to block outgoing temporarily look to see if your system is looking to redownload if after removal. If it is there is a hidden process that is making sure you stay infected. Either track it down and remove, or get the files you need off and quarantine them and scan them, make sure none of them have the execute bit set unless you know what they do. Then DBAN the drive and reinstall, and then use clamAV, chkrootkit and rkhunter. You must either set up the clamav daemon or run manualy like the others to maintain a clean system. Good Luck...
answered 2 days ago
Michael Prokopec
94916
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
|
show 2 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Looks like you have a virus or worm of some kind. Can't find anything about it on the web so you might have close to the first case. It is trying to masquerade as watchdog which is an anti-virus and anti-mailware process. So I would call a major antivirus company and make them aware, send them a copy. Do the same for your distro's watchdog maintainer. This can be found in the package information for watchdog. The only thing I can suggest to try to remove this is check all of your startup lists and check for changes. Look for the process script. Like, whereis watchbog, if it gives you the location of the binary, write it down. Boot to a live cd/usb and then find that file on your disk and remove it. Also look through your startups again, also turn your firewall on and set it to block outgoing temporarily look to see if your system is looking to redownload if after removal. If it is there is a hidden process that is making sure you stay infected. Either track it down and remove, or get the files you need off and quarantine them and scan them, make sure none of them have the execute bit set unless you know what they do. Then DBAN the drive and reinstall, and then use clamAV, chkrootkit and rkhunter. You must either set up the clamav daemon or run manualy like the others to maintain a clean system. Good Luck...
answered 2 days ago
Michael Prokopec
94916
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
|
show 2 more comments
up vote
1
down vote
Looks like you have a virus or worm of some kind. Can't find anything about it on the web so you might have close to the first case. It is trying to masquerade as watchdog which is an anti-virus and anti-mailware process. So I would call a major antivirus company and make them aware, send them a copy. Do the same for your distro's watchdog maintainer. This can be found in the package information for watchdog. The only thing I can suggest to try to remove this is check all of your startup lists and check for changes. Look for the process script. Like, whereis watchbog, if it gives you the location of the binary, write it down. Boot to a live cd/usb and then find that file on your disk and remove it. Also look through your startups again, also turn your firewall on and set it to block outgoing temporarily look to see if your system is looking to redownload if after removal. If it is there is a hidden process that is making sure you stay infected. Either track it down and remove, or get the files you need off and quarantine them and scan them, make sure none of them have the execute bit set unless you know what they do. Then DBAN the drive and reinstall, and then use clamAV, chkrootkit and rkhunter. You must either set up the clamav daemon or run manualy like the others to maintain a clean system. Good Luck...
answered 2 days ago
Michael Prokopec
94916
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
|
show 2 more comments
up vote
1
down vote
up vote
1
down vote
Looks like you have a virus or worm of some kind. Can't find anything about it on the web so you might have close to the first case. It is trying to masquerade as watchdog which is an anti-virus and anti-mailware process. So I would call a major antivirus company and make them aware, send them a copy. Do the same for your distro's watchdog maintainer. This can be found in the package information for watchdog. The only thing I can suggest to try to remove this is check all of your startup lists and check for changes. Look for the process script. Like, whereis watchbog, if it gives you the location of the binary, write it down. Boot to a live cd/usb and then find that file on your disk and remove it. Also look through your startups again, also turn your firewall on and set it to block outgoing temporarily look to see if your system is looking to redownload if after removal. If it is there is a hidden process that is making sure you stay infected. Either track it down and remove, or get the files you need off and quarantine them and scan them, make sure none of them have the execute bit set unless you know what they do. Then DBAN the drive and reinstall, and then use clamAV, chkrootkit and rkhunter. You must either set up the clamav daemon or run manualy like the others to maintain a clean system. Good Luck...
answered 2 days ago
Michael Prokopec
94916
Looks like you have a virus or worm of some kind. Can't find anything about it on the web so you might have close to the first case. It is trying to masquerade as watchdog which is an anti-virus and anti-mailware process. So I would call a major antivirus company and make them aware, send them a copy. Do the same for your distro's watchdog maintainer. This can be found in the package information for watchdog. The only thing I can suggest to try to remove this is check all of your startup lists and check for changes. Look for the process script. Like, whereis watchbog, if it gives you the location of the binary, write it down. Boot to a live cd/usb and then find that file on your disk and remove it. Also look through your startups again, also turn your firewall on and set it to block outgoing temporarily look to see if your system is looking to redownload if after removal. If it is there is a hidden process that is making sure you stay infected. Either track it down and remove, or get the files you need off and quarantine them and scan them, make sure none of them have the execute bit set unless you know what they do. Then DBAN the drive and reinstall, and then use clamAV, chkrootkit and rkhunter. You must either set up the clamav daemon or run manualy like the others to maintain a clean system. Good Luck...
answered 2 days ago
Michael Prokopec
94916
answered 2 days ago
Michael Prokopec
94916
answered 2 days ago
Michael Prokopec
94916
answered 2 days ago
Michael Prokopec
94916
94916
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
|
show 2 more comments
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
Whoa boy... OK, thanks for the elaborate reply. I will look into this as best I can (I'm not terribly familiar with Linux but might be enough).
– Tony Friz
2 days ago
1
1
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Just to mention, watchbog is in /bin/watchbog but when I delete it, it reappears a bit later.
– Tony Friz
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
Looks like it is trying to reinstall its self. Try to make a file with that name before it comes back or write a script to mv that file to watchdog.bak and your file to its place, that may cripple the infection because then the file then already exists make sure your version is read only after the move.
– Michael Prokopec
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I've created my own watchbog file under root permissions and it seems to have accomplished what you said it might. Thank you for that. So at the very least the virus is being temporarily kept at bay.
– Tony Friz
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
I hope you can find a permanent fix soon.
– Michael Prokopec
2 days ago
|
show 2 more comments
1
Multi-posted at security.stackexchange.com/questions/199553 and stackoverflow.com/questions/53729222 .
– JdeBP
2 days ago
1
Well I was told to post in security instead of stack overflow and then I realized it might make most sense here.
– Tony Friz
2 days ago
This is a virus, if this is on a production system somewhere you need to initiate your disaster response plan if you have one. If not, take a forensic image of the server and spin down the machine and start over from scratch. Install from a known good image of the OS and use backups from an earlier date when this process was not present. Contact your local authorities and everyone relevant in your organization. User Michael Prokopec's advice is solid. From the other threads those users have sound advice too. It is going to be easier to start from scratch than save this one to be honest.
– kemotep
2 days ago
2
sudhakarbellamkonda.blogspot.com/2018/11/…
– arochester
2 days ago
@kemotep So, this is just a test machine in a small office and I just literally a few weeks ago started from scratch because of a virus doing the same thing under a different name. And now, same thing a few weeks later... What am I doing wrong? My root password is very secure and not possible to guess by any bruteforce attempt. How is someone repeatedly installing malware on my machine? I don't have the experience for this...
– Tony Friz
2 days ago