Suspicious process running under user [account]

**foxphiles** · 09-16-2008, 12:39 PM

hi,

i've got an e-mail Suspicious process running under user [customer account] twice already, can anyone tell me what exactly running under the process.

here's the message.

-----------------------------------------------------------

Time: Tue Sep 16 23:23:08 2008 +0700
PID: 16965
Account: [customer account]
Uptime: 84 seconds

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

/usr/bin/perl -w check.cgi

Network connections by the process (if any):

tcp: my ip address:56341 -> 194.67.23.111:25

Files open by the process (if any):

Memory maps by the process (if any):

00400000-00403000 r-xp 00000000 08:01 28025764 /usr/bin/perl
00602000-00604000 rw-p 00002000 08:01 28025764 /usr/bin/perl
06263000-0659d000 rw-p 06263000 00:00 0
34e5e00000-34e5e1a000 r-xp 00000000 08:01 26345537 /lib64/ld-2.5.so
34e601a000-34e601b000 r--p 0001a000 08:01 26345537 /lib64/ld-2.5.so
34e601b000-34e601c000 rw-p 0001b000 08:01 26345537 /lib64/ld-2.5.so
34e6200000-34e634a000 r-xp 00000000 08:01 26345540 /lib64/libc-2.5.so
34e634a000-34e6549000 ---p 0014a000 08:01 26345540 /lib64/libc-2.5.so
34e6549000-34e654d000 r--p 00149000 08:01 26345540 /lib64/libc-2.5.so
34e654d000-34e654e000 rw-p 0014d000 08:01 26345540 /lib64/libc-2.5.so
34e654e000-34e6553000 rw-p 34e654e000 00:00 0
34e6600000-34e6602000 r-xp 00000000 08:01 26345686 /lib64/libdl-2.5.so
34e6602000-34e6802000 ---p 00002000 08:01 26345686 /lib64/libdl-2.5.so
34e6802000-34e6803000 r--p 00002000 08:01 26345686 /lib64/libdl-2.5.so
34e6803000-34e6804000 rw-p 00003000 08:01 26345686 /lib64/libdl-2.5.so
34e6a00000-34e6a15000 r-xp 00000000 08:01 26345699 /lib64/libpthread-2.5.so
34e6a15000-34e6c14000 ---p 00015000 08:01 26345699 /lib64/libpthread-2.5.so
34e6c14000-34e6c15000 r--p 00014000 08:01 26345699 /lib64/libpthread-2.5.so
34e6c15000-34e6c16000 rw-p 00015000 08:01 26345699 /lib64/libpthread-2.5.so
34e6c16000-34e6c1a000 rw-p 34e6c16000 00:00 0
34e6e00000-34e6e82000 r-xp 00000000 08:01 26345542 /lib64/libm-2.5.so
34e6e82000-34e7081000 ---p 00082000 08:01 26345542 /lib64/libm-2.5.so
34e7081000-34e7082000 r--p 00081000 08:01 26345542 /lib64/libm-2.5.so
34e7082000-34e7083000 rw-p 00082000 08:01 26345542 /lib64/libm-2.5.so
34e7e00000-34e7e09000 r-xp 00000000 08:01 26345694 /lib64/libcrypt-2.5.so
34e7e09000-34e8008000 ---p 00009000 08:01 26345694 /lib64/libcrypt-2.5.so
34e8008000-34e8009000 r--p 00008000 08:01 26345694 /lib64/libcrypt-2.5.so
34e8009000-34e800a000 rw-p 00009000 08:01 26345694 /lib64/libcrypt-2.5.so
34e800a000-34e8038000 rw-p 34e800a000 00:00 0
34e8200000-34e8215000 r-xp 00000000 08:01 26345682 /lib64/libnsl-2.5.so
34e8215000-34e8414000 ---p 00015000 08:01 26345682 /lib64/libnsl-2.5.so
34e8414000-34e8415000 r--p 00014000 08:01 26345682 /lib64/libnsl-2.5.so
34e8415000-34e8416000 rw-p 00015000 08:01 26345682 /lib64/libnsl-2.5.so
34e8416000-34e8418000 rw-p 34e8416000 00:00 0
34e8a00000-34e8a11000 r-xp 00000000 08:01 26345684 /lib64/libresolv-2.5.so
34e8a11000-34e8c11000 ---p 00011000 08:01 26345684 /lib64/libresolv-2.5.so
34e8c11000-34e8c12000 r--p 00011000 08:01 26345684 /lib64/libresolv-2.5.so
34e8c12000-34e8c13000 rw-p 00012000 08:01 26345684 /lib64/libresolv-2.5.so
34e8c13000-34e8c15000 rw-p 34e8c13000 00:00 0
34eba00000-34ebb2b000 r-xp 00000000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
34ebb2b000-34ebd2a000 ---p 0012b000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
34ebd2a000-34ebd33000 rw-p 0012a000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
34ebd33000-34ebd35000 rw-p 34ebd33000 00:00 0
34ee200000-34ee202000 r-xp 00000000 08:01 26345696 /lib64/libutil-2.5.so
34ee202000-34ee401000 ---p 00002000 08:01 26345696 /lib64/libutil-2.5.so
34ee401000-34ee402000 r--p 00001000 08:01 26345696 /lib64/libutil-2.5.so
34ee402000-34ee403000 rw-p 00002000 08:01 26345696 /lib64/libutil-2.5.so
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0
2aaaaaaba000-2aaaaaadf000 rw-p 2aaaaaaba000 00:00 0
2aaaaaadf000-2aaaaaafb000 r-xp 00000000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
2aaaaaafb000-2aaaaacfa000 ---p 0001c000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
2aaaaacfa000-2aaaaacfb000 rw-p 0001b000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
2aaaaacfb000-2aaaaacfd000 r-xp 00000000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
2aaaaacfd000-2aaaaaefc000 ---p 00002000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
2aaaaaefc000-2aaaaaefd000 rw-p 00001000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
2aaaaaefd000-2aaaaaf01000 r-xp 00000000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
2aaaaaf01000-2aaaab100000 ---p 00004000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
2aaaab100000-2aaaab101000 rw-p 00003000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
2aaaab101000-2aaaab106000 r-xp 00000000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
2aaaab106000-2aaaab305000 ---p 00005000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
2aaaab305000-2aaaab306000 rw-p 00004000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
2aaaab313000-2aaaab31d000 r-xp 00000000 08:01 26345499 /lib64/libnss_files-2.5.so
2aaaab31d000-2aaaab51c000 ---p 0000a000 08:01 26345499 /lib64/libnss_files-2.5.so
2aaaab51c000-2aaaab51d000 r--p 00009000 08:01 26345499 /lib64/libnss_files-2.5.so
2aaaab51d000-2aaaab51e000 rw-p 0000a000 08:01 26345499 /lib64/libnss_files-2.5.so
2aaaab51e000-2aaaab522000 r-xp 00000000 08:01 26345497 /lib64/libnss_dns-2.5.so
2aaaab522000-2aaaab721000 ---p 00004000 08:01 26345497 /lib64/libnss_dns-2.5.so
2aaaab721000-2aaaab722000 r--p 00003000 08:01 26345497 /lib64/libnss_dns-2.5.so
2aaaab722000-2aaaab723000 rw-p 00004000 08:01 26345497 /lib64/libnss_dns-2.5.so
7fffadeb0000-7fffadec5000 rw-p 7fffadeb0000 00:00 0 [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
-------------------------------------------------------------------------------

thanks in advance.

**Infopro** · 09-16-2008, 05:26 PM

You'd do better to ask over at configserver forums where support for CSF is provided. You might check your server for the file named check.cgi and inspect it.

**foxphiles** · 09-16-2008, 09:56 PM

thanks i'd do that. ^^

**rrwh** · 09-16-2008, 10:13 PM

/usr/bin/perl

Command Line (often faked in exploits):

/usr/bin/perl -w check.cgi

Network connections by the process (if any):

tcp: my ip address:56341 -> 194.67.23.111:25

A lookup of the IP address is smtp.mail.ru :25 is smtp port.

I would guess that the check.cgi script (which was running for 84 seconds) was used to validate the form input from someone of their IP address.

The reason it is running for this time could be many - such as the remote server taking a long time to respond or a script that does not correctly terminate the smtp connection, or several other things.

Forums

Thread: Suspicious process running under user [account]

LinkBack

Thread Tools

Suspicious process running under user [account]

Similar Threads

lfd: Suspicious process running under user cpanel

Suspicious process running under user nobody

lfd: Suspicious process running under user nobody

Suspicious process running under user nobody

lfd: Suspicious process running under user bintanne

cPanel & WHM

Enkompass

Help

Community

Company

Connect with Us