Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Excessive Suspicious process running under user rpc

Discussion in 'Security' started by Cloudtech, Dec 5, 2017.

  1. Cloudtech

    Cloudtech Registered

    Joined:
    Nov 30, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Iam getting lot of email with theses subject lines lfd on server1.domain-name.com: ( Excessive resource usage: mysql (3419 (Parent PID:3419)), Suspicious process running under user rpc, Excessive resource usage: rpc (27574 (Parent PID:27574)) please help me I don't know what to do and why these email are generating with each hour. Blew I have added each subject lines messages like 1, 2 and 3 please help me I want o know is there anything wrong happening in my server as I am beginner and I have moved from plesk to Cpanel because of their non security so please help me.
    Code:
    Email: 1 Subject line : lfd on server1.domain-name.com: Excessive resource usage: rpc (27574 (Parent PID:27574))
    
    Time: Tue Dec 5 21:02:00 2017 +0530
    Account: rpc
    Resource: Process Time
    Exceeded: 2109223 > 1800 (seconds)
    [IMG]
    
    Executable: /usr/sbin/rpcbind
    Command Line: /sbin/rpcbind -w
    PID: 27574 (Parent PID:27574)
    Killed: No
    
    
    Email: 2 Subject line : lfd on server1.domain-name.com : Suspicious process running under user rpc
    
    Time: Tue Dec 5 21:01:59 2017 +0530
    PID: 27574 (Parent PID:27574)
    Account: rpc
    Uptime: 2109223 seconds
    [IMG]
    
    
    Executable:
    
    /usr/sbin/rpcbind
    
    
    Command Line (often faked in exploits):
    
    /sbin/rpcbind -w
    
    
    Network connections by the process (if any):
    
    tcp6: 0.0.0.0:111 -> 0.0.0.0:0
    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:613 -> 0.0.0.0:0
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:613 -> 0.0.0.0:0
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /run/rpcbind.lock
    
    
    Memory maps by the process (if any):
    
    560bdb512000-560bdb51f000 r-xp 00000000 08:01 23859671 /usr/sbin/rpcbind
    560bdb71f000-560bdb720000 r--p 0000d000 08:01 23859671 /usr/sbin/rpcbind
    560bdb720000-560bdb721000 rw-p 0000e000 08:01 23859671 /usr/sbin/rpcbind
    560bdce68000-560bdce89000 rw-p 00000000 00:00 0 [heap]
    560bdce89000-560bdce9a000 rw-p 00000000 00:00 0 [heap]
    7ff2e6d66000-7ff2e6d72000 r-xp 00000000 08:01 23855758 /usr/lib64/libnss_files-2.17.so
    7ff2e6d72000-7ff2e6f71000 ---p 0000c000 08:01 23855758 /usr/lib64/libnss_files-2.17.so
    7ff2e6f71000-7ff2e6f72000 r--p 0000b000 08:01 23855758 /usr/lib64/libnss_files-2.17.so
    7ff2e6f72000-7ff2e6f73000 rw-p 0000c000 08:01 23855758 /usr/lib64/libnss_files-2.17.so
    7ff2e6f73000-7ff2e6f79000 rw-p 00000000 00:00 0
    7ff2e6f79000-7ff2e6f88000 r-xp 00000000 08:01 23855977 /usr/lib64/libbz2.so.1.0.6
    7ff2e6f88000-7ff2e7187000 ---p 0000f000 08:01 23855977 /usr/lib64/libbz2.so.1.0.6
    7ff2e7187000-7ff2e7188000 r--p 0000e000 08:01 23855977 /usr/lib64/libbz2.so.1.0.6
    7ff2e7188000-7ff2e7189000 rw-p 0000f000 08:01 23855977 /usr/lib64/libbz2.so.1.0.6
    7ff2e7189000-7ff2e719e000 r-xp 00000000 08:01 23855866 /usr/lib64/libz.so.1.2.7
    7ff2e719e000-7ff2e739d000 ---p 00015000 08:01 23855866 /usr/lib64/libz.so.1.2.7
    7ff2e739d000-7ff2e739e000 r--p 00014000 08:01 23855866 /usr/lib64/libz.so.1.2.7
    7ff2e739e000-7ff2e739f000 rw-p 00015000 08:01 23855866 /usr/lib64/libz.so.1.2.7
    7ff2e739f000-7ff2e73b6000 r-xp 00000000 08:01 23856041 /usr/lib64/libelf-0.168.so
    7ff2e73b6000-7ff2e75b5000 ---p 00017000 08:01 23856041 /usr/lib64/libelf-0.168.so
    7ff2e75b5000-7ff2e75b6000 r--p 00016000 08:01 23856041 /usr/lib64/libelf-0.168.so
    7ff2e75b6000-7ff2e75b7000 rw-p 00017000 08:01 23856041 /usr/lib64/libelf-0.168.so
    7ff2e75b7000-7ff2e7617000 r-xp 00000000 08:01 23855854 /usr/lib64/libpcre.so.1.2.0
    7ff2e7617000-7ff2e7817000 ---p 00060000 08:01 23855854 /usr/lib64/libpcre.so.1.2.0
    7ff2e7817000-7ff2e7818000 r--p 00060000 08:01 23855854 /usr/lib64/libpcre.so.1.2.0
    7ff2e7818000-7ff2e7819000 rw-p 00061000 08:01 23855854 /usr/lib64/libpcre.so.1.2.0
    7ff2e7819000-7ff2e781d000 r-xp 00000000 08:01 23856073 /usr/lib64/libattr.so.1.1.0
    7ff2e781d000-7ff2e7a1c000 ---p 00004000 08:01 23856073 /usr/lib64/libattr.so.1.1.0
    7ff2e7a1c000-7ff2e7a1d000 r--p 00003000 08:01 23856073 /usr/lib64/libattr.so.1.1.0
    7ff2e7a1d000-7ff2e7a1e000 rw-p 00004000 08:01 23856073 /usr/lib64/libattr.so.1.1.0
    7ff2e7a1e000-7ff2e7a21000 r-xp 00000000 08:01 23856424 /usr/lib64/libkeyutils.so.1.5
    7ff2e7a21000-7ff2e7c20000 ---p 00003000 08:01 23856424 /usr/lib64/libkeyutils.so.1.5
    7ff2e7c20000-7ff2e7c21000 r--p 00002000 08:01 23856424 /usr/lib64/libkeyutils.so.1.5
    7ff2e7c21000-7ff2e7c22000 rw-p 00003000 08:01 23856424 /usr/lib64/libkeyutils.so.1.5
    7ff2e7c22000-7ff2e7c2f000 r-xp 00000000 08:01 23856749 /usr/lib64/libkrb5support.so.0.1
    7ff2e7c2f000-7ff2e7e2e000 ---p 0000d000 08:01 23856749 /usr/lib64/libkrb5support.so.0.1
    7ff2e7e2e000-7ff2e7e2f000 r--p 0000c000 08:01 23856749 /usr/lib64/libkrb5support.so.0.1
    7ff2e7e2f000-7ff2e7e30000 rw-p 0000d000 08:01 23856749 /usr/lib64/libkrb5support.so.0.1
    7ff2e7e30000-7ff2e7e45000 r-xp 00000000 08:01 23855123 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7ff2e7e45000-7ff2e8044000 ---p 00015000 08:01 23855123 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7ff2e8044000-7ff2e8045000 r--p 00014000 08:01 23855123 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7ff2e8045000-7ff2e8046000 rw-p 00015000 08:01 23855123 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    7ff2e8046000-7ff2e8048000 r-xp 00000000 08:01 23855746 /usr/lib64/libdl-2.17.so
    7ff2e8048000-7ff2e8248000 ---p 00002000 08:01 23855746 /usr/lib64/libdl-2.17.so
    7ff2e8248000-7ff2e8249000 r--p 00002000 08:01 23855746 /usr/lib64/libdl-2.17.so
    7ff2e8249000-7ff2e824a000 rw-p 00003000 08:01 23855746 /usr/lib64/libdl-2.17.so
    7ff2e824a000-7ff2e828e000 r-xp 00000000 08:01 23856589 /usr/lib64/libdw-0.168.so
    7ff2e828e000-7ff2e848e000 ---p 00044000 08:01 23856589 /usr/lib64/libdw-0.168.so
    7ff2e848e000-7ff2e8490000 r--p 00044000 08:01 23856589 /usr/lib64/libdw-0.168.so
    7ff2e8490000-7ff2e8491000 rw-p 00046000 08:01 23856589 /usr/lib64/libdw-0.168.so
    7ff2e8491000-7ff2e84a7000 r-xp 00000000 08:01 23855768 /usr/lib64/libresolv-2.17.so
    7ff2e84a7000-7ff2e86a7000 ---p 00016000 08:01 23855768 /usr/lib64/libresolv-2.17.so
    7ff2e86a7000-7ff2e86a8000 r--p 00016000 08:01 23855768 /usr/lib64/libresolv-2.17.so
    7ff2e86a8000-7ff2e86a9000 rw-p 00017000 08:01 23855768 /usr/lib64/libresolv-2.17.so
    7ff2e86a9000-7ff2e86ab000 rw-p 00000000 00:00 0
    7ff2e86ab000-7ff2e86af000 r-xp 00000000 08:01 23856057 /usr/lib64/libgpg-error.so.0.10.0
    7ff2e86af000-7ff2e88ae000 ---p 00004000 08:01 23856057 /usr/lib64/libgpg-error.so.0.10.0
    7ff2e88ae000-7ff2e88af000 r--p 00003000 08:01 23856057 /usr/lib64/libgpg-error.so.0.10.0
    7ff2e88af000-7ff2e88b0000 rw-p 00004000 08:01 23856057 /usr/lib64/libgpg-error.so.0.10.0
    7ff2e88b0000-7ff2e892d000 r-xp 00000000 08:01 23856090 /usr/lib64/libgcrypt.so.11.8.2
    7ff2e892d000-7ff2e8b2c000 ---p 0007d000 08:01 23856090 /usr/lib64/libgcrypt.so.11.8.2
    7ff2e8b2c000-7ff2e8b2d000 r--p 0007c000 08:01 23856090 /usr/lib64/libgcrypt.so.11.8.2
    7ff2e8b2d000-7ff2e8b30000 rw-p 0007d000 08:01 23856090 /usr/lib64/libgcrypt.so.11.8.2
    7ff2e8b30000-7ff2e8b31000 rw-p 00000000 00:00 0
    7ff2e8b31000-7ff2e8b56000 r-xp 00000000 08:01 23855874 /usr/lib64/liblzma.so.5.2.2
    7ff2e8b56000-7ff2e8d55000 ---p 00025000 08:01 23855874 /usr/lib64/liblzma.so.5.2.2
    7ff2e8d55000-7ff2e8d56000 r--p 00024000 08:01 23855874 /usr/lib64/liblzma.so.5.2.2
    7ff2e8d56000-7ff2e8d57000 rw-p 00025000 08:01 23855874 /usr/lib64/liblzma.so.5.2.2
    7ff2e8d57000-7ff2e8d7b000 r-xp 00000000 08:01 23855863 /usr/lib64/libselinux.so.1
    7ff2e8d7b000-7ff2e8f7a000 ---p 00024000 08:01 23855863 /usr/lib64/libselinux.so.1
    7ff2e8f7a000-7ff2e8f7b000 r--p 00023000 08:01 23855863 /usr/lib64/libselinux.so.1
    7ff2e8f7b000-7ff2e8f7c000 rw-p 00024000 08:01 23855863 /usr/lib64/libselinux.so.1
    7ff2e8f7c000-7ff2e8f7e000 rw-p 00000000 00:00 0
    7ff2e8f7e000-7ff2e8f85000 r-xp 00000000 08:01 23855770 /usr/lib64/librt-2.17.so
    7ff2e8f85000-7ff2e9184000 ---p 00007000 08:01 23855770 /usr/lib64/librt-2.17.so
    7ff2e9184000-7ff2e9185000 r--p 00006000 08:01 23855770 /usr/lib64/librt-2.17.so
    7ff2e9185000-7ff2e9186000 rw-p 00007000 08:01 23855770 /usr/lib64/librt-2.17.so
    7ff2e9186000-7ff2e9287000 r-xp 00000000 08:01 23855748 /usr/lib64/libm-2.17.so
    7ff2e9287000-7ff2e9486000 ---p 00101000 08:01 23855748 /usr/lib64/libm-2.17.so
    7ff2e9486000-7ff2e9487000 r--p 00100000 08:01 23855748 /usr/lib64/libm-2.17.so
    7ff2e9487000-7ff2e9488000 rw-p 00101000 08:01 23855748 /usr/lib64/libm-2.17.so
    7ff2e9488000-7ff2e948c000 r-xp 00000000 08:01 23856077 /usr/lib64/libcap.so.2.22
    7ff2e948c000-7ff2e968b000 ---p 00004000 08:01 23856077 /usr/lib64/libcap.so.2.22
    7ff2e968b000-7ff2e968c000 r--p 00003000 08:01 23856077 /usr/lib64/libcap.so.2.22
    7ff2e968c000-7ff2e968d000 rw-p 00004000 08:01 23856077 /usr/lib64/libcap.so.2.22
    7ff2e968d000-7ff2e96a3000 r-xp 00000000 08:01 23855750 /usr/lib64/libnsl-2.17.so
    7ff2e96a3000-7ff2e98a2000 ---p 00016000 08:01 23855750 /usr/lib64/libnsl-2.17.so
    7ff2e98a2000-7ff2e98a3000 r--p 00015000 08:01 23855750 /usr/lib64/libnsl-2.17.so
    7ff2e98a3000-7ff2e98a4000 rw-p 00016000 08:01 23855750 /usr/lib64/libnsl-2.17.so
    7ff2e98a4000-7ff2e98a6000 rw-p 00000000 00:00 0
    7ff2e98a6000-7ff2e98a9000 r-xp 00000000 08:01 23855913 /usr/lib64/libcom_err.so.2.1
    7ff2e98a9000-7ff2e9aa8000 ---p 00003000 08:01 23855913 /usr/lib64/libcom_err.so.2.1
    7ff2e9aa8000-7ff2e9aa9000 r--p 00002000 08:01 23855913 /usr/lib64/libcom_err.so.2.1
    7ff2e9aa9000-7ff2e9aaa000 rw-p 00003000 08:01 23855913 /usr/lib64/libcom_err.so.2.1
    7ff2e9aaa000-7ff2e9adb000 r-xp 00000000 08:01 23856741 /usr/lib64/libk5crypto.so.3.1
    7ff2e9adb000-7ff2e9cda000 ---p 00031000 08:01 23856741 /usr/lib64/libk5crypto.so.3.1
    7ff2e9cda000-7ff2e9cdc000 r--p 00030000 08:01 23856741 /usr/lib64/libk5crypto.so.3.1
    7ff2e9cdc000-7ff2e9cdd000 rw-p 00032000 08:01 23856741 /usr/lib64/libk5crypto.so.3.1
    7ff2e9cdd000-7ff2e9db5000 r-xp 00000000 08:01 23856747 /usr/lib64/libkrb5.so.3.3
    7ff2e9db5000-7ff2e9fb4000 ---p 000d8000 08:01 23856747 /usr/lib64/libkrb5.so.3.3
    7ff2e9fb4000-7ff2e9fc2000 r--p 000d7000 08:01 23856747 /usr/lib64/libkrb5.so.3.3
    7ff2e9fc2000-7ff2e9fc5000 rw-p 000e5000 08:01 23856747 /usr/lib64/libkrb5.so.3.3
    7ff2e9fc5000-7ff2ea00f000 r-xp 00000000 08:01 23856737 /usr/lib64/libgssapi_krb5.so.2.2
    7ff2ea00f000-7ff2ea20f000 ---p 0004a000 08:01 23856737 /usr/lib64/libgssapi_krb5.so.2.2
    7ff2ea20f000-7ff2ea210000 r--p 0004a000 08:01 23856737 /usr/lib64/libgssapi_krb5.so.2.2
    7ff2ea210000-7ff2ea212000 rw-p 0004b000 08:01 23856737 /usr/lib64/libgssapi_krb5.so.2.2
    7ff2ea212000-7ff2ea3ca000 r-xp 00000000 08:01 23855740 /usr/lib64/libc-2.17.so
    7ff2ea3ca000-7ff2ea5ca000 ---p 001b8000 08:01 23855740 /usr/lib64/libc-2.17.so
    7ff2ea5ca000-7ff2ea5ce000 r--p 001b8000 08:01 23855740 /usr/lib64/libc-2.17.so
    7ff2ea5ce000-7ff2ea5d0000 rw-p 001bc000 08:01 23855740 /usr/lib64/libc-2.17.so
    7ff2ea5d0000-7ff2ea5d5000 rw-p 00000000 00:00 0
    7ff2ea5d5000-7ff2ea5de000 r-xp 00000000 08:01 23856375 /usr/lib64/libwrap.so.0.7.6
    7ff2ea5de000-7ff2ea7dd000 ---p 00009000 08:01 23856375 /usr/lib64/libwrap.so.0.7.6
    7ff2ea7dd000-7ff2ea7de000 r--p 00008000 08:01 23856375 /usr/lib64/libwrap.so.0.7.6
    7ff2ea7de000-7ff2ea7df000 rw-p 00009000 08:01 23856375 /usr/lib64/libwrap.so.0.7.6
    7ff2ea7df000-7ff2ea7e0000 rw-p 00000000 00:00 0
    7ff2ea7e0000-7ff2ea7f7000 r-xp 00000000 08:01 23855766 /usr/lib64/libpthread-2.17.so
    7ff2ea7f7000-7ff2ea9f6000 ---p 00017000 08:01 23855766 /usr/lib64/libpthread-2.17.so
    7ff2ea9f6000-7ff2ea9f7000 r--p 00016000 08:01 23855766 /usr/lib64/libpthread-2.17.so
    7ff2ea9f7000-7ff2ea9f8000 rw-p 00017000 08:01 23855766 /usr/lib64/libpthread-2.17.so
    7ff2ea9f8000-7ff2ea9fc000 rw-p 00000000 00:00 0
    7ff2ea9fc000-7ff2eaa25000 r-xp 00000000 08:01 23859670 /usr/lib64/libtirpc.so.1.0.10
    7ff2eaa25000-7ff2eac24000 ---p 00029000 08:01 23859670 /usr/lib64/libtirpc.so.1.0.10
    7ff2eac24000-7ff2eac25000 r--p 00028000 08:01 23859670 /usr/lib64/libtirpc.so.1.0.10
    7ff2eac25000-7ff2eac26000 rw-p 00029000 08:01 23859670 /usr/lib64/libtirpc.so.1.0.10
    7ff2eac26000-7ff2eac27000 rw-p 00000000 00:00 0
    7ff2eac27000-7ff2eac48000 r-xp 00000000 08:01 23855733 /usr/lib64/ld-2.17.so
    7ff2eae07000-7ff2eae15000 rw-p 00000000 00:00 0
    7ff2eae15000-7ff2eae3b000 r-xp 00000000 08:01 23857021 /usr/lib64/libsystemd.so.0.6.0
    7ff2eae3b000-7ff2eae3c000 r--p 00025000 08:01 23857021 /usr/lib64/libsystemd.so.0.6.0
    7ff2eae3c000-7ff2eae3d000 rw-p 00026000 08:01 23857021 /usr/lib64/libsystemd.so.0.6.0
    7ff2eae47000-7ff2eae48000 rw-p 00000000 00:00 0
    7ff2eae48000-7ff2eae49000 r--p 00021000 08:01 23855733 /usr/lib64/ld-2.17.so
    7ff2eae49000-7ff2eae4a000 rw-p 00022000 08:01 23855733 /usr/lib64/ld-2.17.so
    7ff2eae4a000-7ff2eae4b000 rw-p 00000000 00:00 0
    7ffca3aa2000-7ffca3ac3000 rw-p 00000000 00:00 0 [stack]
    7ffca3b16000-7ffca3b18000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    
    
    
    Email: 3 Subject line : lfd on server1.domain-name.com: Excessive resource usage: mysql (3419 (Parent PID:3419))
    
    Time: Tue Dec 5 21:02:00 2017 +0530
    Account: mysql
    Resource: Process Time
    Exceeded: 259721 > 1800 (seconds)
    [IMG]
    
    
    Executable: /usr/bin/bash
    Command Line: /bin/sh /usr/bin/mysqld_safe
    PID: 3419 (Parent PID:3419)
    Killed: No
    
    
    Any body please help me these are the emails Iam getting each hour as I have enable CSF and changed the SSH port because of lot of Brute Force attempt after enabling also one or two attempt again came and it was blocked and the IP was blocked CSF . So please help me Iam afraid if the server was hacked by hackers I will loose every customers . My server is CENTOS 7.4 kvm and Cpanel version is : v68.0.19 Iam looking forward to resolve this issue so please help.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    668
    Likes Received:
    222
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If you don't have any NFS mounts, you can use the instructions as detailed in
    Suspicious process running under user rpc

    If you need that rpcbind running you should add this line in /etc/csf/csf.pignore

    exe:/sbin/rpcbind

    and then restart csf&lfd
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,705
    Likes Received:
    1,791
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The information in the previous post should help.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice