-1

looking through my processes I discovered this: ps -ef | grep erts ntop 13527 13469 0 09:41 ? 00:01:01 /usr/lib/erlang/erts-7.3/bin/beam.smp -W w -A 64 -P 1048576 -K true -B i -- -root /usr/lib/erlang -progname erl -- -home /var/lib/rabbitmq -- -pa /usr/lib/rabbitmq/lib/rabbitmq_server-3.5.7/sbin/../ebin -noshell -noinput -s rabbit boot -sname rabbit@5757ed3c6dfe -boot start_sasl -kernel inet_default_connect_options [{nodelay,true}] -sasl errlog_type error -sasl sasl_error_logger false -rabbit error_logger {file,"/var/log/rabbitmq/rabbit@5757ed3c6dfe.log"} -rabbit sasl_error_logger {file,"/var/log/rabbitmq/rabbit@5757ed3c6dfe-sasl.log"} -rabbit enabled_plugins_file "/etc/rabbitmq/enabled_plugins" -rabbit plugins_dir "/usr/lib/rabbitmq/lib/rabbitmq_server-3.5.7/sbin/../plugins" -rabbit plugins_expand_dir "/var/lib/rabbitmq/mnesia/rabbit@5757ed3c6dfe-plugins-expand" -os_mon start_cpu_sup false -os_mon start_disksup false -os_mon start_memsup false -mnesia dir "/var/lib/rabbitmq/mnesia/rabbit@5757ed3c6dfe" -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672

These folders from the command do not exist:

  • /usr/lib/erlang/erts-7.3
  • /var/lib/rabbitmq/ do not exist.
  • /etc/rabbitmq
  • /var/log/rabbitmq

dpkg -l and apt do not show any installed package for erlang or rabbitmq.

On top, the user ntop is the owner of that process? It is also not installed.

So my biggest concern is, that the computer got compromised. Any idea what that all is about?

System Information: Ubuntu 18.04.2 LTS HWE kernel samba / nfs / apache / mariadb / php7.2-fpm / nextcloud / openhab2 / docker

edit append requested info:

apt-cache --installed rdepends erlang
erlang
Reverse Depends:

so nothing ...

vi history.log does not show any erlang things, despite my desperate "install and remove try" from today. But it installed a far newer erlang version (9.3 i think)

Start-Date: 2019-06-27  13:18:37
Commandline: apt install erlang-base
Requested-By: andre (1000)
Install: libsctp1:amd64 (1.0.17+dfsg-2, automatic), erlang-base:amd64 (1:20.2.2+dfsg-1ubuntu2), erlang-syntax-tools:amd64 (1:20.2.2+dfsg-1ubuntu2, automatic), erlang-crypto:amd64 (1:20.2.2+dfsg-1ubuntu2, automatic)
End-Date: 2019-06-27  13:18:43

Start-Date: 2019-06-27  13:20:23
Commandline: apt remove erlang-base
Requested-By: andre (1000)
Install: erlang-base-hipe:amd64 (1:20.2.2+dfsg-1ubuntu2, automatic)
Remove: erlang-base:amd64 (1:20.2.2+dfsg-1ubuntu2), erlang-crypto:amd64 (1:20.2.2+dfsg-1ubuntu2)
End-Date: 2019-06-27  13:20:29
wuppi
  • 219

1 Answers1

0

Ok this is fairly simple. Processes run by a docker container show up in the host process list. Also all paths which could not be found do exist within the docker container.

see here: https://stackoverflow.com/questions/26659129/docker-processes-shown-on-host-process-list

To sum it up: running foreign docker-containers (onlyoffice / collabora) produce my results.

I know this was not a very good "question", rather a personal problem. But maybe someone runs into the same issues and finds the answer here.

wuppi
  • 219