4

I was reading this article, and decided to search for sd-pam in the processes of one of my laptops.

I did ps -x | grep -i "sd-pam", and got

2864 ?        S      0:00 (sd-pam)
29172 pts/0    S+     0:00 grep --color=auto -i sd-pam

So I think I've got infected with this malware somehow. The laptop is old, and I remember during covid times my camera working without being user-activated (light was on), but I could never find out why.

I'm not an expert, nor even an experienced user/cybersecurity guy.

How does on confirm whether the laptop is infected or not with this malware?

PS: the article is in french. Here's also an article in english.

An old man in the sea.
  • 672

1 Answers1

0

sd-pam itself is no virus. It is a systemd services that execute in a PAM session. services with PAMName= in its unit will have a sd-pam process in its cgroup. The purpose is to wait for a service to terminate so it can perform a 'close PAM session'.

The thing to do is to search your services for PAMName (sudo grep -R PAMNAME /etc/systemd/system/*) and then find out if this usage is correct. Crypto miners use it a lot to keep the process active. Same goes for StripedFly: it claims to be a crypto miner but it is not; uninstalling keeps this active on your machine.

The cause for this problem is a bug in SAMBA v1. Samba v1 was already obsolete in 2014 so nobody should be using it. For disabling v1 see for instance:

Rinzwind
  • 309,379