How to disable send an email: lfd on server: Suspicious process running under user

[NguyenCong]

Hi. I have tried everything but still not be

Time:    Sun Nov  6 15:58:27 2016 +0700
PID:     54075 (Parent PID:54074)
Account: user...
Uptime:  81 seconds


Executable:

/home/virtfs/user.../usr/bin/wget


Command Line (often faked in exploits):

wget http://...../~trieuminhtien/curl2/cron1.php


Network connections by the process (if any):

tcp: 74.208.81.166:54174 -> 173.254.243.2:80


Files open by the process (if any):

/home/virtfs/user.../home/user.../cron1.php.32


Memory maps by the process (if any):

00400000-00460000 r-xp 00000000 fd:01 34290570                           /home/virtfs/user.../usr/bin/wget
0065f000-00660000 r--p 0005f000 fd:01 34290570                           /home/virtfs/user.../usr/bin/wget
00660000-00664000 rw-p 00060000 fd:01 34290570                           /home/virtfs/user.../usr/bin/wget
00664000-0066b000 rw-p 00000000 00:00 0
02083000-020a4000 rw-p 00000000 00:00 0                                  [heap]
7fc59351b000-7fc599a42000 r--p 00000000 fd:01 101267135                  /home/virtfs/user.../usr/lib/locale/locale-archive
7fc599a42000-7fc599a66000 r-xp 00000000 fd:01 67269043                   /home/virtfs/user.../usr/lib64/liblzma.so.5.0.99
7fc599a66000-7fc599c65000 ---p 00024000 fd:01 67269043                   /home/virtfs/user.../usr/lib64/liblzma.so.5.0.99
7fc599c65000-7fc599c66000 r--p 00023000 fd:01 67269043                   /home/virtfs/user.../usr/lib64/liblzma.so.5.0.99
7fc599c66000-7fc599c67000 rw-p 00024000 fd:01 67269043                   /home/virtfs/user.../usr/lib64/liblzma.so.5.0.99
7fc599c67000-7fc599c88000 r-xp 00000000 fd:01 67305698                   /home/virtfs/user.../usr/lib64/libselinux.so.1
7fc599c88000-7fc599e88000 ---p 00021000 fd:01 67305698                   /home/virtfs/user.../usr/lib64/libselinux.so.1
7fc599e88000-7fc599e89000 r--p 00021000 fd:01 67305698                   /home/virtfs/user.../usr/lib64/libselinux.so.1
7fc599e89000-7fc599e8a000 rw-p 00022000 fd:01 67305698                   /home/virtfs/user.../usr/lib64/libselinux.so.1
7fc599e8a000-7fc599e8c000 rw-p 00000000 00:00 0
7fc599e8c000-7fc599ea2000 r-xp 00000000 fd:01 67277447                   /home/virtfs/user.../usr/lib64/libresolv-2.17.so
7fc599ea2000-7fc59a0a2000 ---p 00016000 fd:01 67277447                   /home/virtfs/user.../usr/lib64/libresolv-2.17.so
7fc59a0a2000-7fc59a0a3000 r--p 00016000 fd:01 67277447                   /home/virtfs/user.../usr/lib64/libresolv-2.17.so
7fc59a0a3000-7fc59a0a4000 rw-p 00017000 fd:01 67277447                   /home/virtfs/user.../usr/lib64/libresolv-2.17.so
7fc59a0a4000-7fc59a0a6000 rw-p 00000000 00:00 0
7fc59a0a6000-7fc59a0a9000 r-xp 00000000 fd:01 67306073                   /home/virtfs/user.../usr/lib64/libkeyutils.so.1.5
7fc59a0a9000-7fc59a2a8000 ---p 00003000 fd:01 67306073                   /home/virtfs/user.../usr/lib64/libkeyutils.so.1.5
7fc59a2a8000-7fc59a2a9000 r--p 00002000 fd:01 67306073                   /home/virtfs/user.../usr/lib64/libkeyutils.so.1.5
7fc59a2a9000-7fc59a2aa000 rw-p 00003000 fd:01 67306073                   /home/virtfs/user.../usr/lib64/libkeyutils.so.1.5
7fc59a2aa000-7fc59a2b7000 r-xp 00000000 fd:01 67380663                   /home/virtfs/user.../usr/lib64/libkrb5support.so.0.1
7fc59a2b7000-7fc59a4b7000 ---p 0000d000 fd:01 67380663                   /home/virtfs/user.../usr/lib64/libkrb5support.so.0.1
7fc59a4b7000-7fc59a4b8000 r--p 0000d000 fd:01 67380663                   /home/virtfs/user.../usr/lib64/libkrb5support.so.0.1
7fc59a4b8000-7fc59a4b9000 rw-p 0000e000 fd:01 67380663                   /home/virtfs/user.../usr/lib64/libkrb5support.so.0.1
7fc59a4b9000-7fc59a4cf000 r-xp 00000000 fd:01 67277445                   /home/virtfs/user.../usr/lib64/libpthread-2.17.so
7fc59a4cf000-7fc59a6cf000 ---p 00016000 fd:01 67277445                   /home/virtfs/user.../usr/lib64/libpthread-2.17.so
7fc59a6cf000-7fc59a6d0000 r--p 00016000 fd:01 67277445                   /home/virtfs/user.../usr/lib64/libpthread-2.17.so
7fc59a6d0000-7fc59a6d1000 rw-p 00017000 fd:01 67277445                   /home/virtfs/user.../usr/lib64/libpthread-2.17.so
7fc59a6d1000-7fc59a6d5000 rw-p 00000000 00:00 0
7fc59a6d5000-7fc59a704000 r-xp 00000000 fd:01 67380649                   /home/virtfs/user.../usr/lib64/libk5crypto.so.3.1
7fc59a704000-7fc59a903000 ---p 0002f000 fd:01 67380649                   /home/virtfs/user.../usr/lib64/libk5crypto.so.3.1
7fc59a903000-7fc59a905000 r--p 0002e000 fd:01 67380649                   /home/virtfs/user.../usr/lib64/libk5crypto.so.3.1
7fc59a905000-7fc59a906000 rw-p 00030000 fd:01 67380649                   /home/virtfs/user.../usr/lib64/libk5crypto.so.3.1
7fc59a906000-7fc59a907000 rw-p 00000000 00:00 0
7fc59a907000-7fc59a90a000 r-xp 00000000 fd:01 67305724                   /home/virtfs/user.../usr/lib64/libcom_err.so.2.1
7fc59a90a000-7fc59ab09000 ---p 00003000 fd:01 67305724                   /home/virtfs/user.../usr/lib64/libcom_err.so.2.1
7fc59ab09000-7fc59ab0a000 r--p 00002000 fd:01 67305724                   /home/virtfs/user.../usr/lib64/libcom_err.so.2.1
7fc59ab0a000-7fc59ab0b000 rw-p 00003000 fd:01 67305724                   /home/virtfs/user.../usr/lib64/libcom_err.so.2.1
7fc59ab0b000-7fc59abe0000 r-xp 00000000 fd:01 67380661                   /home/virtfs/user.../usr/lib64/libkrb5.so.3.3
7fc59abe0000-7fc59ade0000 ---p 000d5000 fd:01 67380661                   /home/virtfs/user.../usr/lib64/libkrb5.so.3.3
7fc59ade0000-7fc59aded000 r--p 000d5000 fd:01 67380661                   /home/virtfs/user.../usr/lib64/libkrb5.so.3.3
7fc59aded000-7fc59adf0000 rw-p 000e2000 fd:01 67380661                   /home/virtfs/user.../usr/lib64/libkrb5.so.3.3
7fc59adf0000-7fc59ae39000 r-xp 00000000 fd:01 68202756                   /home/virtfs/user.../usr/lib64/libgssapi_krb5.so.2.2
7fc59ae39000-7fc59b039000 ---p 00049000 fd:01 68202756                   /home/virtfs/user.../usr/lib64/libgssapi_krb5.so.2.2
7fc59b039000-7fc59b03a000 r--p 00049000 fd:01 68202756                   /home/virtfs/user.../usr/lib64/libgssapi_krb5.so.2.2
7fc59b03a000-7fc59b03c000 rw-p 0004a000 fd:01 68202756                   /home/virtfs/user.../usr/lib64/libgssapi_krb5.so.2.2
7fc59b03c000-7fc59b1f3000 r-xp 00000000 fd:01 67151462                   /home/virtfs/user.../usr/lib64/libc-2.17.so
7fc59b1f3000-7fc59b3f3000 ---p 001b7000 fd:01 67151462                   /home/virtfs/user.../usr/lib64/libc-2.17.so
7fc59b3f3000-7fc59b3f7000 r--p 001b7000 fd:01 67151462                   /home/virtfs/user.../usr/lib64/libc-2.17.so
7fc59b3f7000-7fc59b3f9000 rw-p 001bb000 fd:01 67151462                   /home/virtfs/user.../usr/lib64/libc-2.17.so
7fc59b3f9000-7fc59b3fe000 rw-p 00000000 00:00 0
7fc59b3fe000-7fc59b45e000 r-xp 00000000 fd:01 67151456                   /home/virtfs/user.../usr/lib64/libpcre.so.1.2.0
7fc59b45e000-7fc59b65d000 ---p 00060000 fd:01 67151456                   /home/virtfs/user.../usr/lib64/libpcre.so.1.2.0
7fc59b65d000-7fc59b65e000 r--p 0005f000 fd:01 67151456                   /home/virtfs/user.../usr/lib64/libpcre.so.1.2.0
7fc59b65e000-7fc59b65f000 rw-p 00060000 fd:01 67151456                   /home/virtfs/user.../usr/lib64/libpcre.so.1.2.0
7fc59b65f000-7fc59b663000 r-xp 00000000 fd:01 67380678                   /home/virtfs/user.../usr/lib64/libuuid.so.1.3.0
7fc59b663000-7fc59b862000 ---p 00004000 fd:01 67380678                   /home/virtfs/user.../usr/lib64/libuuid.so.1.3.0
7fc59b862000-7fc59b863000 r--p 00003000 fd:01 67380678                   /home/virtfs/user.../usr/lib64/libuuid.so.1.3.0
7fc59b863000-7fc59b864000 rw-p 00004000 fd:01 67380678                   /home/virtfs/user.../usr/lib64/libuuid.so.1.3.0
7fc59b864000-7fc59b896000 r-xp 00000000 fd:01 67305903                   /home/virtfs/user.../usr/lib64/libidn.so.11.6.11
7fc59b896000-7fc59ba95000 ---p 00032000 fd:01 67305903                   /home/virtfs/user.../usr/lib64/libidn.so.11.6.11
7fc59ba95000-7fc59ba96000 r--p 00031000 fd:01 67305903                   /home/virtfs/user.../usr/lib64/libidn.so.11.6.11
7fc59ba96000-7fc59ba97000 rw-p 00032000 fd:01 67305903                   /home/virtfs/user.../usr/lib64/libidn.so.11.6.11
7fc59ba97000-7fc59ba9a000 r-xp 00000000 fd:01 67277425                   /home/virtfs/user.../usr/lib64/libdl-2.17.so
7fc59ba9a000-7fc59bc99000 ---p 00003000 fd:01 67277425                   /home/virtfs/user.../usr/lib64/libdl-2.17.so
7fc59bc99000-7fc59bc9a000 r--p 00002000 fd:01 67277425                   /home/virtfs/user.../usr/lib64/libdl-2.17.so
7fc59bc9a000-7fc59bc9b000 rw-p 00003000 fd:01 67277425                   /home/virtfs/user.../usr/lib64/libdl-2.17.so
7fc59bc9b000-7fc59bcb0000 r-xp 00000000 fd:01 67305701                   /home/virtfs/user.../usr/lib64/libz.so.1.2.7
7fc59bcb0000-7fc59beaf000 ---p 00015000 fd:01 67305701                   /home/virtfs/user.../usr/lib64/libz.so.1.2.7
7fc59beaf000-7fc59beb0000 r--p 00014000 fd:01 67305701                   /home/virtfs/user.../usr/lib64/libz.so.1.2.7
7fc59beb0000-7fc59beb1000 rw-p 00015000 fd:01 67305701                   /home/virtfs/user.../usr/lib64/libz.so.1.2.7
7fc59beb1000-7fc59c06f000 r-xp 00000000 fd:01 67277416                   /home/virtfs/user.../usr/lib64/libcrypto.so.1.0.1e
7fc59c06f000-7fc59c26f000 ---p 001be000 fd:01 67277416                   /home/virtfs/user.../usr/lib64/libcrypto.so.1.0.1e
7fc59c26f000-7fc59c289000 r--p 001be000 fd:01 67277416                   /home/virtfs/user.../usr/lib64/libcrypto.so.1.0.1e
7fc59c289000-7fc59c295000 rw-p 001d8000 fd:01 67277416                   /home/virtfs/user.../usr/lib64/libcrypto.so.1.0.1e
7fc59c295000-7fc59c299000 rw-p 00000000 00:00 0
7fc59c299000-7fc59c2fc000 r-xp 00000000 fd:01 67151472                   /home/virtfs/user.../usr/lib64/libssl.so.1.0.1e
7fc59c2fc000-7fc59c4fb000 ---p 00063000 fd:01 67151472                   /home/virtfs/user.../usr/lib64/libssl.so.1.0.1e
7fc59c4fb000-7fc59c4ff000 r--p 00062000 fd:01 67151472                   /home/virtfs/user.../usr/lib64/libssl.so.1.0.1e
7fc59c4ff000-7fc59c506000 rw-p 00066000 fd:01 67151472                   /home/virtfs/user.../usr/lib64/libssl.so.1.0.1e
7fc59c506000-7fc59c527000 r-xp 00000000 fd:01 67277421                   /home/virtfs/user.../usr/lib64/ld-2.17.so
7fc59c712000-7fc59c71c000 rw-p 00000000 00:00 0
7fc59c725000-7fc59c727000 rw-p 00000000 00:00 0
7fc59c727000-7fc59c728000 r--p 00021000 fd:01 67277421                   /home/virtfs/user.../usr/lib64/ld-2.17.so
7fc59c728000-7fc59c729000 rw-p 00022000 fd:01 67277421                   /home/virtfs/user.../usr/lib64/ld-2.17.so
7fc59c729000-7fc59c72a000 rw-p 00000000 00:00 0
7ffd2a726000-7ffd2a747000 rw-p 00000000 00:00 0                          [stack]
7ffd2a74c000-7ffd2a74e000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

 

[danielpmc]

Hello NguyenCong,

First i would like to offer a strong warning against disabling any suspicious lfd warnings. Unfortunately anybody that runs a server will get these warnings. Repeatedly. Why you ask? Many reasons:

1. It may be a rootkit virus/trojan.
2. When any system services update/upgrades on your server it uses backdoors and security protocols to enter/exit.
Usually these are done with hidden IPs and pre-assigned urls/ports. But if one of those changes, and they do constantly, your servers security systems trigger an alert.
3. Sometimes when Clam AV updates
4. Sometimes when SpammAssasin updates
5. Sometimes when cPanel updates

But if you want to disable alerts here are a couple configurations you can try. Please write down or screenshot any original settings BEFORE editing them.

WHM/Server Configuration/Tweak Settings/Notifications

WHM/Server Configuration/Tweak Settings/System

 

[SysSachin]

Hi,

If you want to only disable lfd alert for particular process then you have to add this process in to csf.pignore file.
File path is /etc/csf/csf.pignore

OR if you want to disable all lfd alerts then you have to disable it in csf.conf file

Login to server through SSH

Open file /etc/csf/csf.conf and set and set PT_USERMEM=0
If you are not sure then contact to your system admin.

 

[cPanelMichael]

Hello,

This is also discussed in several past threads. For example:

Suspicious Process running under user pat / Excessive resource usage: pat

Thank you.