Home / ubuntu / Questions / 397934
Accepted
Mohammad Moghimi
Asked: 2013-12-31 17:36:37 +0800 CST

What do sapd, skysapd, sksapd, and ksapd do?

  • 772

Does anyone know what sapd, skysapd, sksapd, ksapd do? Are they viruses? I tried clamav it didn't recognized them as viruses.

my htop

I also realized that my /etc/rc.local has multiple copies of this:

nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./atdd
security

3 Answers

  1. Best Answer

    It's a backdoor / DDoS trojan. Check your /etc/crontab and /etc/cron.* files for multiple cronjobs that download and execute those files. (see https://isc.sans.edu/forums/diary//17282)

    • 6

  2. sapd is a legitimate process to be running in Linux. However, the others are under investigation as per the well-regarded SANS as well as a savvy user, so I would backup all your data NOW.

    • 4

  3. Actually SAPD is- A SIMPLE E-MAIL SECURITY DAEMON

    The protocol used to send a-mail, the SMTP, has a severe flaw, that is the fact it doensn't require passwords. Due to this fact, the e-mail server is vulnerable to all kinds of abuse via the Internet, like SPAM relaying and origination of e-mail with the sender's address forged.

    SAPD is a daemon designed to protect a Sendmail server against such abuses, demanding the user fetches (reads) his e-mails before he can start sending. As fetching e-mail requires an username and password, we have here a good authentication method that prevents misuse of the SMTP protocol.

    This kind of authentication is called SMTP-After-POP3, because it allows sending e-mail (SMTP) only after fetching e-mail (POP3). Hence the name SAPD, that means "SMTP After POP3 Daemon".

    For more information : Documentation

    • 1