Community Forums
Connect with us on LinkedIn
ldf suspicious process
  
+ Reply to Thread
Results 1 to 4 of 4
  1. 01-09-2009 07:17 PM #1
    Morley
    Morley is offline
    Member
    Join Date
    Apr 2007
    Posts
    59

    Default ldf suspicious process

    Today I received this message and I am not sure if it was an attempted email attack or spamd or spamassasin went crazy. Can anyone tell me what this looks like?
    __________________________________
    Time: Fri Jan 9 13:19:13 2009 -0800
    PID: 22606
    Account: magic
    Uptime: 53530 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:42200


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    /home/magic/.spamassassin/bayes_toks
    /home/magic/.spamassassin/bayes_seen


    Memory maps by the process (if any):

    00111000-0011a000 r-xp 00000000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
    0011a000-0011b000 rwxp 00008000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
    0011b000-0014a000 r-xp 00000000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    0014a000-0014b000 rwxp 0002e000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    001b3000-001b6000 r-xp 00000000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    001b6000-001b7000 rwxp 00002000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    001b7000-00283000 r-xp 00000000 03:05 311452 /lib/tls/i686/libdb-4.2.so
    00283000-00285000 rwxp 000cc000 03:05 311452 /lib/tls/i686/libdb-4.2.so
    00366000-00369000 r-xp 00000000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    00369000-0036a000 rwxp 00002000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    00376000-00378000 r-xp 00000000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    00378000-00379000 rwxp 00001000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    003ef000-003f1000 r-xp 00000000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    003f1000-003f2000 rwxp 00001000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    00427000-00431000 r-xp 00000000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    00431000-00432000 rwxp 00009000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    0052a000-0052e000 r-xp 00000000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
    0052e000-0052f000 rwxp 00003000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
    00537000-0053c000 r-xp 00000000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    0053c000-0053d000 rwxp 00004000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    006c5000-006db000 r-xp 00000000 03:05 311416 /lib/ld-2.3.4.so
    006db000-006dc000 r-xp 00015000 03:05 311416 /lib/ld-2.3.4.so
    006dc000-006dd000 rwxp 00016000 03:05 311416 /lib/ld-2.3.4.so
    006df000-00808000 r-xp 00000000 03:05 311433 /lib/tls/libc-2.3.4.so
    00808000-0080a000 r-xp 00128000 03:05 311433 /lib/tls/libc-2.3.4.so
    0080a000-0080c000 rwxp 0012a000 03:05 311433 /lib/tls/libc-2.3.4.so
    0080c000-0080e000 rwxp 0080c000 00:00 0
    00810000-00812000 r-xp 00000000 03:05 311456 /lib/libdl-2.3.4.so
    00812000-00813000 r-xp 00001000 03:05 311456 /lib/libdl-2.3.4.so
    00813000-00814000 rwxp 00002000 03:05 311456 /lib/libdl-2.3.4.so
    00816000-00837000 r-xp 00000000 03:05 311461 /lib/tls/libm-2.3.4.so
    00837000-00838000 r-xp 00020000 03:05 311461 /lib/tls/libm-2.3.4.so
    00838000-00839000 rwxp 00021000 03:05 311461 /lib/tls/libm-2.3.4.so
    0084d000-0085b000 r-xp 00000000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085b000-0085c000 r-xp 0000d000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085c000-0085d000 rwxp 0000e000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085d000-0085f000 rwxp 0085d000 00:00 0
    00861000-00869000 r-xp 00000000 03:05 311513 /lib/libcrypt-2.3.4.so
    00869000-0086a000 r-xp 00007000 03:05 311513 /lib/libcrypt-2.3.4.so
    0086a000-0086b000 rwxp 00008000 03:05 311513 /lib/libcrypt-2.3.4.so
    0086b000-00892000 rwxp 0086b000 00:00 0
    00894000-008a7000 r-xp 00000000 03:05 311498 /lib/libnsl-2.3.4.so
    008a7000-008a8000 r-xp 00012000 03:05 311498 /lib/libnsl-2.3.4.so
    008a8000-008a9000 rwxp 00013000 03:05 311498 /lib/libnsl-2.3.4.so
    008a9000-008ab000 rwxp 008a9000 00:00 0
    00914000-00917000 r-xp 00000000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    00917000-00918000 rwxp 00002000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    009df000-009e4000 r-xp 00000000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    009e4000-009e5000 rwxp 00004000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    00a24000-00a28000 r-xp 00000000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    00a28000-00a29000 rwxp 00003000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    00aaa000-00ab3000 r-xp 00000000 03:05 311367 /lib/libnss_files-2.3.4.so
    00ab3000-00ab4000 r-xp 00008000 03:05 311367 /lib/libnss_files-2.3.4.so
    00ab4000-00ab5000 rwxp 00009000 03:05 311367 /lib/libnss_files-2.3.4.so
    00b75000-00b77000 r-xp 00000000 03:05 311520 /lib/libutil-2.3.4.so
    00b77000-00b78000 r-xp 00001000 03:05 311520 /lib/libutil-2.3.4.so
    00b78000-00b79000 rwxp 00002000 03:05 311520 /lib/libutil-2.3.4.so
    00c3e000-00c41000 r-xp 00000000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    00c41000-00c42000 rwxp 00002000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    00c66000-00c6e000 r-xp 00000000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c6e000-00c6f000 r-xp 00007000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c6f000-00c70000 rwxp 00008000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c70000-00c7a000 rwxp 00c70000 00:00 0
    00cf7000-00cfb000 r-xp 00000000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
    00cfb000-00cfc000 rwxp 00003000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
    00d4a000-00d60000 r-xp 00000000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    00d60000-00d61000 rwxp 00015000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    00e3c000-00e40000 r-xp 00000000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00e40000-00e41000 rwxp 00003000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00efc000-00efe000 r-xp 00000000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    00efe000-00eff000 rwxp 00001000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    00faf000-00fb2000 r-xp 00000000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00fb2000-00fb3000 rwxp 00002000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    08047000-08115000 r-xp 00000000 03:02 1100988 /usr/bin/perl
    08115000-0811e000 rw-p 000ce000 03:02 1100988 /usr/bin/perl
    0811e000-08120000 rw-p 0811e000 00:00 0
    09b49000-0ba18000 rw-p 09b49000 00:00 0
    b7d98000-b7e4a000 rw-p b7d98000 00:00 0
    b7e6e000-b7eb3000 rw-p b7e6e000 00:00 0
    b7eb3000-b7ee7000 rw-p b7f73000 00:00 0
    b7f21000-b7f69000 rw-p b7f21000 00:00 0
    b7f69000-b7f9d000 rw-p b7f9d000 00:00 0
    b7fc9000-b7fcc000 rw-p b7fc9000 00:00 0
    bfebd000-c0000000 rw-p bfebd000 00:00 0
    ffffe000-fffff000 r-xp 00000000 00:00 0
    Reply With Quote Reply With Quote
  2. 01-09-2009 09:16 PM #2
    BMCK
    BMCK is offline
    Member
    Join Date
    May 2006
    Posts
    14

    Default

    I received the same messages today...
    Reply With Quote Reply With Quote
  3. 01-09-2009 10:05 PM #3
    Infopro
    Infopro is offline
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    7,894
    cPanel/Enkompass Access Level

    Root Administrator

    Lightbulb

    Wrong forum, try here.
    Fav cPlinks this week: Blog - cPanel & WHM 11.32 we love it! | cPanel University study for it! | Attracta is coming! we want this!
    Reply With Quote Reply With Quote
  4. 01-10-2009 10:44 PM #4
    rharvey32
    rharvey32 is offline
    Member
    Join Date
    Apr 2007
    Posts
    8

    Default ldf fix for spamd and awstats.pl

    this is what I did and it fixed it.
    choose firewall
    choose ldf process ignore.

    then add these to your list.

    exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
    exe:/usr/bin/perl cmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats.pl
    cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
    cmd:spamd child
    exe:/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    Reply With Quote Reply With Quote
«   Is ther a way to add allowances to jailshell? | RELEASE_32603 and exim filed »     
Similar Threads & Tags
Similar threads

  1. Suspicious process ? Can some one please have a look?
    By Fakher in forum cPanel and WHM Discussions
    Replies: 4
    Last Post: 10-08-2010, 05:51 PM
  2. Suspicious process running under user nobody
    By smithster in forum Security
    Replies: 2
    Last Post: 08-17-2010, 06:21 PM
  3. Suspicious process question
    By Hawley in forum New User Questions
    Replies: 0
    Last Post: 07-18-2010, 10:56 PM
  4. A suspicious process?
    By Julien PHAM in forum E-mail Discussions
    Replies: 2
    Last Post: 08-26-2009, 05:42 AM
  5. Suspicious process running under user nobody
    By a.sheipani in forum cPanel and WHM Discussions
    Replies: 3
    Last Post: 08-31-2007, 02:20 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube