Suspicious process running under user nobody

[a.sheipani]

Hello everyone, this is a great forum, and i have a question for you
i have LFD installed on one of our servers, and yesterday i received three e-mails from it stateing that a suspicious process running under user nobody, notice that we have phpsuexec enabled.

this is the complete message.

-------------------------------------------------------------------------------------------
Time: Wed Aug 15 16:21:37 2007
PID: 8423
Account: nobody
Uptime: 314 seconds


Executable:

/usr/local/cpanel/bin/cpwrap


Command Line (often faked in exploits):

/usr/local/cpanel/bin/eximwrap GETDISKUSED info basystems.com


Network connections by the process (if any):

tcp: 78.51.3.35:25 -> 209.208.132.10:56040
tcp: 78.51.3.35:25 -> 209.208.132.10:56040


Files open by the process (if any):

/dev/null
/dev/null
/etc/localdomains
/etc/userdomains
/etc/passwd
/etc/valiases/basystems.net
/etc/vdomainaliases/basystems.net


Memory maps by the process (if any):

002e5000-002ee000 r-xp 00000000 08:03 901190 /lib/libnss_files-2.3.4.so
002ee000-002ef000 r--p 00008000 08:03 901190 /lib/libnss_files-2.3.4.so
002ef000-002f0000 rw-p 00009000 08:03 901190 /lib/libnss_files-2.3.4.so
00460000-00476000 r-xp 00000000 08:03 906150 /lib/ld-2.3.4.so
00476000-00477000 r--p 00015000 08:03 906150 /lib/ld-2.3.4.so
00477000-00478000 rw-p 00016000 08:03 906150 /lib/ld-2.3.4.so
0047a000-005a0000 r-xp 00000000 08:03 906160 /lib/tls/libc-2.3.4.so
005a0000-005a2000 r--p 00125000 08:03 906160 /lib/tls/libc-2.3.4.so
005a2000-005a4000 rw-p 00127000 08:03 906160 /lib/tls/libc-2.3.4.so
005a4000-005a6000 rw-p 005a4000 00:00 0
08048000-08052000 r-xp 00000000 08:03 5358009 /usr/local/cpanel/bin/cpwrap
08052000-08053000 rw-p 00009000 08:03 5358009 /usr/local/cpanel/bin/cpwrap
08053000-08074000 rw-p 08053000 00:00 0 b7ff5000-b7ff6000 rw-p b7ff5000 00:00 0 bfff7000-c0000000 rwxp bfff7000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0
----------------------------------------------------------------------------------------------

can you please tell me if this is something i should worry about
also i have been receiving e-mail about high server load at the same time as this message.
and can you tell me what is cpwrap and what does it do??

[bebop1065]

It might be something to worry about.

I had the same thing on one of my servers earlier in the week. It turned out to be some scripts in /tmp that were attempting to send log details to a server running a chatroom on port 6667.

I had the scripts removed and all seems good now.

Have you run any root kit checkers to see if they catch anything?

[dataferret]

It might be something to worry about.

I had the same thing on one of my servers earlier in the week. It turned out to be some scripts in /tmp that were attempting to send log details to a server running a chatroom on port 6667.

I had the scripts removed and all seems good now.

Have you run any root kit checkers to see if they catch anything?

Do you have any more details on what scripts were running in tmp? Name, file size etc? I seem to have this exact same problem and the only file which looks out of place in tmp is one which is named t00000 and has a file size of 47,000mb. I have renamed the file so it can be investigated further. I would very much like further details on the filenames you found in your tmp directory.

Thanks for any help

[vanessa]

Other services can run processes as the user nobody, such as Apache and perl. To find nobody running processes, just run:

ps -efww |grep nobody |more

Then track the process ID with lsof -p <PID> to find out where it's coming from it it isn't obvious in the process listing.