Home / server / Questions / 322842
In Process
lamp_scaler
Asked: 2011-10-20 01:57:54 +0800 CST

what is khostd?

  • 772

I see this process but can't seem to find anything about it on Google:

init─┬─crond
     ├─dbus-daemon
     ├─events/0
     ├─events/1
     ├─httpd───8*[httpd]
     ├─khelper
     ├─khostd───khostd
     ├─klogd
     ├─ksoftirqd/0

What is khostd? Is it useful?

I'm using a Centos 5.4 64bit system.

More Info after getting pidof khostd:

/proc/28069:
total 0
dr-xr-xr-x 2 root root 0 Oct 19 18:44 attr
-r-------- 1 root root 0 Oct 19 18:46 auxv
-r--r--r-- 1 root root 0 Oct 19 18:44 cmdline
-rw-r--r-- 1 root root 0 Oct 19 18:46 coredump_filter
-r--r--r-- 1 root root 0 Oct 19 18:46 cpuset
lrwxrwxrwx 1 root root 0 Oct 19 18:46 cwd -> /tmp
-r-------- 1 root root 0 Oct 19 18:46 environ
lrwxrwxrwx 1 root root 0 Oct 19 18:44 exe -> /usr/lib/.khostd/khostd
dr-x------ 2 root root 0 Oct 19 18:44 fd
dr-x------ 2 root root 0 Oct 19 18:46 fdinfo
-r--r--r-- 1 root root 0 Oct 19 18:46 io
-r--r--r-- 1 root root 0 Oct 19 18:46 limits
-rw-r--r-- 1 root root 0 Oct 19 18:46 loginuid
-r--r--r-- 1 root root 0 Oct 19 18:46 maps
-rw------- 1 root root 0 Oct 19 18:46 mem
-r--r--r-- 1 root root 0 Oct 19 18:46 mounts
-r-------- 1 root root 0 Oct 19 18:46 mountstats
-r--r--r-- 1 root root 0 Oct 19 18:46 numa_maps
-rw-r--r-- 1 root root 0 Oct 19 18:46 oom_adj
-r--r--r-- 1 root root 0 Oct 19 18:46 oom_score
lrwxrwxrwx 1 root root 0 Oct 19 18:46 root -> /
-r--r--r-- 1 root root 0 Oct 19 18:46 schedstat
-r--r--r-- 1 root root 0 Oct 19 18:46 smaps
-r--r--r-- 1 root root 0 Oct 19 18:44 stat
-r--r--r-- 1 root root 0 Oct 19 18:44 statm
-r--r--r-- 1 root root 0 Oct 19 18:44 status
dr-xr-xr-x 3 root root 0 Oct 19 18:44 task
-r--r--r-- 1 root root 0 Oct 19 18:46 wchan

ls -l fd
total 0
lr-x------ 1 root root 64 Oct 19 18:44 0 -> /dev/null
l-wx------ 1 root root 64 Oct 19 18:44 1 -> /dev/null
l-wx------ 1 root root 64 Oct 19 18:44 2 -> /dev/null
lrwx------ 1 root root 64 Oct 19 18:44 3 -> socket:[243807]

lsof -a -p 28069
COMMAND   PID USER   FD   TYPE DEVICE     SIZE    NODE NAME
khostd  28069 root  cwd    DIR    3,1     4096 6717441 /tmp
khostd  28069 root  rtd    DIR    3,1     4096       2 /
khostd  28069 root  txt    REG    3,1  2976132 6717448 /usr/lib/.khostd/khostd
khostd  28069 root  mem    REG    3,1   125736 9110591 /lib/ld-2.5.so
khostd  28069 root  mem    REG    3,1  1611564 9109521 /lib/libc-2.5.so
khostd  28069 root  mem    REG    3,1   208352 9109572 /lib/libm-2.5.so
khostd  28069 root  mem    REG    3,1   129716 9109534 /lib/libpthread-2.5.so
khostd  28069 root  mem    REG    3,1    16428 9109528 /lib/libdl-2.5.so
khostd  28069 root  mem    REG    3,1   101404 9110587 /lib/libnsl-2.5.so
khostd  28069 root  mem    REG    3,1   127661 6717504 /tmp/pdk-root/e6435b00fc79422519aa88bd9ce23223/POSIX.so
khostd  28069 root  mem    REG    3,1    18503 6717495 /tmp/pdk-root/34a1a6c9d35316e363f0994128ef61e6/Fcntl.so
khostd  28069 root  mem    REG    3,1 56454896 1118201 /usr/lib/locale/locale-archive
khostd  28069 root  mem    REG    3,1  1264090 6717493 /tmp/pdk-root/fcb734befe617ec3ae1edc38da810a5a/libperl.so
khostd  28069 root  mem    REG    3,1    46680 9109544 /lib/libnss_files-2.5.so
khostd  28069 root  mem    REG    3,1    13420 9109560 /lib/libutil-2.5.so
khostd  28069 root  mem    REG    3,1    45288 9109538 /lib/libcrypt-2.5.so
khostd  28069 root  mem    REG    3,1    26835 6717512 /tmp/pdk-root/3760d3688c78b22765b55d36a88382f4/FastCalc.so
khostd  28069 root  mem    REG    3,1    20493 6717510 /tmp/pdk-root/9319229253f468feb2a6076b8f5b0492/IO.so
khostd  28069 root  mem    REG    3,1    28572 6717506 /tmp/pdk-root/ff58a81c4ba367275c0ac887821ec093/Socket.so
khostd  28069 root    0r   CHR    1,3             1201 /dev/null
khostd  28069 root    1w   CHR    1,3             1201 /dev/null
khostd  28069 root    2w   CHR    1,3             1201 /dev/null
khostd  28069 root    3u  IPv4 243807              TCP *:etlservicemgr (LISTEN)

More info after looking into the .khostd directory:

ls -la
total 4188
drwxr-xr-x  2 root root       4096 Oct 13 16:30 .
drwxr-xr-x 59 root root      36864 Oct 18 16:47 ..
-rwxr-xr-x  1 root root      13096 Sep  4  2009 chat
-rwxr-xr-x  1 root root     157760 Sep  4  2009 find
-rwxr-xr-x  1 root root     711660 Mar 29  2011 hi
-rw-r--r--  1 root root        334 Aug 16 17:07 .hostconf
-rwxr-xr-x  1 root root      60920 Sep  4  2009 iptables
-rwxr-xr-x  1 root root    2976132 Aug 23 13:59 khostd
-rwxr-xr-x  1 root root      14864 Sep  4  2009 kill
-rwxr-xr-x  1 root root     125920 May 25  2008 nstat
-r-xr-xr-x  1 root root      83696 Jan 21  2009 ps
-rwx--s--x  1 root slocate   28184 Sep  4  2009 slocate

cat .hostconf
bindport=9001
trustip=[Lots of comma separated IP addresses here]
heartserver=open.hichina.com
heartserver_port=3001
reportserver=open.hichina.com
reportserver_port=3001
version=Unix2.01
linux centos ps

1 Answers

  1. UPDATE

    Also noticed, after a while, iptables -L would show a new rule allowing access to port 9001. Looks like the hosting provider is trying to override some of the programs on the server.

    I did a killall on it and it restarted itself. I'm suspecting this is a program that was inserted by my cloud hosting provider.

    Contact them to ask. But I'm afraid that your system is infected with a rootkit:

    reportserver=open.hichina.com
reportserver_port=3001

    Take a look at the network connections:

    # netstat -natp | grep :9001 | less

    or you probably want to sniff some packets on this port:

    # tcpdump -vv -s0 -c 500 tcp port 9001 -w /tmp/khostd.pcap

    copy to your laptop and open with Wireshark to see what does it say.

    rkhunter and chkrootkit may also help, if you find something doubtful, the best way is... fresh reinstall.

    Determine its PID with:

    pidof khostd
pgrep khostd

    and take a look at this /proc/$(pidof khostd)/.

    Some info can help:

    ls -l /proc/$(pidof khostd)/exe
ls -l /proc/$(pidof khostd)/fd
cat /proc/$(pidof khostd)/stat
cat /proc/$(pidof khostd)/status

    You can also use lsof to list all file descriptors used by this process:

    lsof -a -p `pidof khostd`

    or see what it is doing with:

    strace -p `pidof khostd` -o /tmp/khostd.strace
    • 2