Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Joomla Suspicious process running under user homepage index.php

Discussion in 'Security' started by batlinuxman, Apr 25, 2016.

  1. batlinuxman

    batlinuxman Registered

    Joined:
    Apr 25, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Home
    cPanel Access Level:
    Root Administrator
    Hello,

    I am long time user of Cpanel but I am asking a favor for the first time :)

    Hope you guys can help me out.

    I have few joomla website with cpanel. Some of them are working well but one joomla website is causing me the issue.

    It is taking long time to load the website and I am getting alert from email (see message below)

    It's say that my index.php file might exploited ???
    Also, please find the index.php file too.

    I tried using original index.php file of joomla but the same issue : long time loading and alert email.

    My server info :
    • CENTOS 6.7 x86_64 standard – cl-t181-105cl
    • WHM 56.0 (build 5)
    • I have root access to the server
    • Iptables used
    • CSF activated
    • Maldet activated

    HTML:
    Time: Mon Apr 23 08:17:30 2016 -0400

PID: 6893 (Parent PID:4091)
Account: username
Uptime: 102 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/username/public_html/index.php


Network connections by the process (if any):

tcp: myserverip:58446 -> 217.23.12.139:80


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00bb8000 r-xp 00000000 08:05 46142352 /usr/bin/php
00db7000-00e7e000 rw-p 007b7000 08:05 46142352 /usr/bin/php
00e7e000-00ea2000 rw-p 00000000 00:00 0
019b1000-021d3000 rw-p 00000000 00:00 0 [heap]
7f12bbc3a000-7f12bbf87000 rw-p 00000000 00:00 0
7f12bbf87000-7f12bc000000 r--s 00000000 08:05 10225276 /var/db/nscd/hosts
7f12bc000000-7f12bc021000 rw-p 00000000 00:00 0
7f12bc021000-7f12c0000000 ---p 00000000 00:00 0
7f12c0028000-7f12c003e000 r-xp 00000000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c003e000-7f12c023d000 ---p 00016000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c023d000-7f12c023e000 rw-p 00015000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c023e000-7f12c023f000 ---p 00000000 00:00 0
7f12c023f000-7f12c0c3f000 rw-p 00000000 00:00 0
7f12c0c3f000-7f12c0c45000 r-xp 00000000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0c45000-7f12c0e45000 ---p 00006000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0e45000-7f12c0e46000 rw-p 00006000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0e46000-7f12c0efe000 r-xp 00000000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c0efe000-7f12c10fd000 ---p 000b8000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c10fd000-7f12c1102000 rw-p 000b7000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c1102000-7f12c1118000 r-xp 00000000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c1118000-7f12c1318000 ---p 00016000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c1318000-7f12c131b000 rw-p 00016000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c131b000-7f12c133a000 r-xp 00000000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c133a000-7f12c153a000 ---p 0001f000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c153a000-7f12c153f000 rw-p 0001f000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c153f000-7f12c1542000 rw-p 00000000 00:00 0
7f12c1542000-7f12c155f000 r-xp 00000000 08:05 37486678 /lib64/libselinux.so.1
7f12c155f000-7f12c175e000 ---p 0001d000 08:05 37486678 /lib64/libselinux.so.1
7f12c175e000-7f12c175f000 r--p 0001c000 08:05 37486678 /lib64/libselinux.so.1
7f12c175f000-7f12c1760000 rw-p 0001d000 08:05 37486678 /lib64/libselinux.so.1
7f12c1760000-7f12c1761000 rw-p 00000000 00:00 0
7f12c1761000-7f12c1763000 r-xp 00000000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1763000-7f12c1963000 ---p 00002000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1963000-7f12c1964000 rw-p 00002000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1964000-7f12c1966000 r-xp 00000000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1966000-7f12c1b65000 ---p 00002000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b65000-7f12c1b66000 r--p 00001000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b66000-7f12c1b67000 rw-p 00002000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b67000-7f12c1b71000 r-xp 00000000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1b71000-7f12c1d70000 ---p 0000a000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d70000-7f12c1d71000 r--p 00009000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d71000-7f12c1d72000 rw-p 0000a000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d72000-7f12c1d90000 r-xp 00000000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1d90000-7f12c1f8f000 ---p 0001e000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1f8f000-7f12c1f90000 rw-p 0001d000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1f90000-7f12c1fa7000 r-xp 00000000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c1fa7000-7f12c21a7000 ---p 00017000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21a7000-7f12c21a8000 r--p 00017000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21a8000-7f12c21b3000 rw-p 00018000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21b3000-7f12c21ca000 r-xp 00000000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c21ca000-7f12c23ca000 ---p 00017000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23ca000-7f12c23cb000 r--p 00017000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23cb000-7f12c23cc000 rw-p 00018000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23cc000-7f12c23d0000 rw-p 00000000 00:00 0
7f12c23d0000-7f12c23d2000 r-xp 00000000 08:05 37486597 /lib64/libfreebl3.so
7f12c23d2000-7f12c25d1000 ---p 00002000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d1000-7f12c25d2000 r--p 00001000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d2000-7f12c25d3000 rw-p 00002000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d3000-7f12c25e9000 r-xp 00000000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c25e9000-7f12c27e9000 ---p 00016000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27e9000-7f12c27ea000 r--p 00016000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27ea000-7f12c27eb000 rw-p 00017000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27eb000-7f12c27ed000 rw-p 00000000 00:00 0
7f12c27ed000-7f12c2977000 r-xp 00000000 08:05 37486607 /lib64/libc-2.12.so
7f12c2977000-7f12c2b77000 ---p 0018a000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b77000-7f12c2b7b000 r--p 0018a000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b7b000-7f12c2b7c000 rw-p 0018e000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b7c000-7f12c2b81000 rw-p 00000000 00:00 0
7f12c2b81000-7f12c2cd1000 r-xp 00000000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2cd1000-7f12c2ed0000 ---p 00150000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2ed0000-7f12c2eda000 rw-p 0014f000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2eda000-7f12c2edb000 rw-p 00000000 00:00 0
7f12c2edb000-7f12c2f73000 r-xp 00000000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c2f73000-7f12c3172000 ---p 00098000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c3172000-7f12c3178000 rw-p 00097000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c3178000-7f12c31aa000 r-xp 00000000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c31aa000-7f12c33a9000 ---p 00032000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c33a9000-7f12c33aa000 rw-p 00031000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c33aa000-7f12c3407000 r-xp 00000000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3407000-7f12c3606000 ---p 0005d000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3606000-7f12c3609000 rw-p 0005c000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3609000-7f12c360c000 r-xp 00000000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c360c000-7f12c380b000 ---p 00003000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380b000-7f12c380c000 r--p 00002000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380c000-7f12c380d000 rw-p 00003000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380d000-7f12c3836000 r-xp 00000000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3836000-7f12c3a36000 ---p 00029000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a36000-7f12c3a37000 r--p 00029000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a37000-7f12c3a38000 rw-p 0002a000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a38000-7f12c3a39000 rw-p 00000000 00:00 0
7f12c3a39000-7f12c3b14000 r-xp 00000000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3b14000-7f12c3d14000 ---p 000db000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d14000-7f12c3d1e000 r--p 000db000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d1e000-7f12c3d20000 rw-p 000e5000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d20000-7f12c3d61000 r-xp 00000000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3d61000-7f12c3f61000 ---p 00041000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f61000-7f12c3f62000 r--p 00041000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f62000-7f12c3f64000 rw-p 00042000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f64000-7f12c3f7a000 r-xp 00000000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c3f7a000-7f12c4179000 ---p 00016000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c4179000-7f12c417a000 r--p 00015000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c417a000-7f12c417b000 rw-p 00016000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c417b000-7f12c417d000 rw-p 00000000 00:00 0
7f12c417d000-7f12c417f000 r-xp 00000000 08:05 37486613 /lib64/libdl-2.12.so
7f12c417f000-7f12c437f000 ---p 00002000 08:05 37486613 /lib64/libdl-2.12.so
7f12c437f000-7f12c4380000 r--p 00002000 08:05 37486613 /lib64/libdl-2.12.so
7f12c4380000-7f12c4381000 rw-p 00003000 08:05 37486613 /lib64/libdl-2.12.so
7f12c4381000-7f12c4404000 r-xp 00000000 08:05 37486615 /lib64/libm-2.12.so
7f12c4404000-7f12c4603000 ---p 00083000 08:05 37486615 /lib64/libm-2.12.so
7f12c4603000-7f12c4604000 r--p 00082000 08:05 37486615 /lib64/libm-2.12.so
7f12c4604000-7f12c4605000 rw-p 00083000 08:05 37486615 /lib64/libm-2.12.so
7f12c4605000-7f12c460c000 r-xp 00000000 08:05 37486635 /lib64/librt-2.12.so
7f12c460c000-7f12c480b000 ---p 00007000 08:05 37486635 /lib64/librt-2.12.so
7f12c480b000-7f12c480c000 r--p 00006000 08:05 37486635 /lib64/librt-2.12.so
7f12c480c000-7f12c480d000 rw-p 00007000 08:05 37486635 /lib64/librt-2.12.so
7f12c480d000-7f12c4850000 r-xp 00000000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4850000-7f12c4a4f000 ---p 00043000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4a4f000-7f12c4a50000 rw-p 00042000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4a50000-7f12c4a8f000 r-xp 00000000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4a8f000-7f12c4c8f000 ---p 0003f000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4c8f000-7f12c4c90000 rw-p 0003f000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4c90000-7f12c4ca0000 rw-p 00000000 00:00 0
7f12c4ca0000-7f12c4cc5000 r-xp 00000000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4cc5000-7f12c4ec5000 ---p 00025000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4ec5000-7f12c4ec6000 rw-p 00025000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4ec6000-7f12c4ed7000 r-xp 00000000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c4ed7000-7f12c50d6000 ---p 00011000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c50d6000-7f12c50d7000 rw-p 00010000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c50d7000-7f12c520e000 r-xp 00000000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c520e000-7f12c540e000 ---p 00137000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c540e000-7f12c5414000 rw-p 00137000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c5414000-7f12c5420000 r-xp 00000000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5420000-7f12c5620000 ---p 0000c000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5620000-7f12c5621000 r--p 0000c000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5621000-7f12c5622000 rw-p 0000d000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5622000-7f12c562b000 r-xp 00000000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c562b000-7f12c582a000 ---p 00009000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c582a000-7f12c582b000 rw-p 00008000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c582b000-7f12c5855000 r-xp 00000000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5855000-7f12c5a54000 ---p 0002a000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5a54000-7f12c5a58000 rw-p 00029000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5a58000-7f12c5a5d000 rw-p 00000000 00:00 0
7f12c5a5d000-7f12c5d37000 r-xp 00000000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5d37000-7f12c5f36000 ---p 002da000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5f36000-7f12c5fba000 rw-p 002d9000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5fba000-7f12c5fbf000 rw-p 00000000 00:00 0
7f12c5fbf000-7f12c5fd4000 r-xp 00000000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c5fd4000-7f12c61d3000 ---p 00015000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d3000-7f12c61d4000 r--p 00014000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d4000-7f12c61d5000 rw-p 00015000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d5000-7f12c6237000 r-xp 00000000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6237000-7f12c6436000 ---p 00062000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6436000-7f12c643a000 r--p 00061000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c643a000-7f12c6441000 rw-p 00065000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6441000-7f12c65fb000 r-xp 00000000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c65fb000-7f12c67fa000 ---p 001ba000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c67fa000-7f12c6815000 r--p 001b9000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c6815000-7f12c6821000 rw-p 001d4000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c6821000-7f12c6825000 rw-p 00000000 00:00 0
7f12c6825000-7f12c682c000 r-xp 00000000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c682c000-7f12c6a2c000 ---p 00007000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2c000-7f12c6a2d000 r--p 00007000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2d000-7f12c6a2e000 rw-p 00008000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2e000-7f12c6a5c000 rw-p 00000000 00:00 0
7f12c6a5c000-7f12c6a7c000 r-xp 00000000 08:05 37486996 /lib64/ld-2.12.so
7f12c6a99000-7f12c6ace000 r--s 00000000 08:05 10225277 /var/db/nscd/services
7f12c6ace000-7f12c6c70000 rw-p 00000000 00:00 0
7f12c6c7a000-7f12c6c7b000 rw-p 00000000 00:00 0
7f12c6c7b000-7f12c6c7c000 r--p 0001f000 08:05 37486996 /lib64/ld-2.12.so
7f12c6c7c000-7f12c6c7d000 rw-p 00020000 08:05 37486996 /lib64/ld-2.12.so
7f12c6c7d000-7f12c6c7e000 rw-p 00000000 00:00 0
7ffca5b28000-7ffca5b3d000 rw-p 00000000 00:00 0 [stack]
7ffca5bd0000-7ffca5bd1000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    PHP:
    <?php
    /**
    * @package             Joomla.Site
    * @copyright   Copyright (C) 2005 - 2014 Open Source Matters, Inc. All rights reserved.
    * @license             GNU General Public License version 2 or later; see LICENSE.txt
    */
    define('FILES_BASE'dirname(__FILE__));

    if (    file_exists(FILES_BASE.'/tmp/defines.php')) {
        require_once     FILES_BASE.'/tmp/defines.php';
    }


    // Set flag that this is a parent file.
    define('_JEXEC'1);
    define('DS'DIRECTORY_SEPARATOR);

    if (    file_exists(dirname(__FILE__) . '/defines.php')) {
            include_once     dirname(__FILE__) . '/defines.php';
    }

    if (!    defined('_JDEFINES')) {
                define('JPATH_BASE'dirname(__FILE__));
            require_once     JPATH_BASE.'/includes/defines.php';
    }

    require_once     JPATH_BASE.'/includes/framework.php';

    // Mark afterLoad in the profiler.
    JDEBUG $_PROFILER->mark('afterLoad') : null;

    // Instantiate the application.
    $app JFactory::getApplication('site');

    // Initialise the application.
    $app->initialise();

    // Mark afterIntialise in the profiler.
    JDEBUG $_PROFILER->mark('afterInitialise') : null;

    // Route the application.
    $app->route();

    // Mark afterRoute in the profiler.
    JDEBUG $_PROFILER->mark('afterRoute') : null;

    // Dispatch the application.
    $app->dispatch();

    // Mark afterDispatch in the profiler.
    JDEBUG $_PROFILER->mark('afterDispatch') : null;

    // Render the application.
    $app->render();

    // Mark afterRender in the profiler.
    JDEBUG $_PROFILER->mark('afterRender') : null;

    // Return the response.
    echo $app;
    Please advice

    Thank you
     
    #1 batlinuxman, Apr 25, 2016
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    The "problem" with joomla is it uses index.php for almost everything, usually query strings (i.e. the info after index.php?) define what is being done.

    It could be a bad or exploited plugin (likely) or other malware issue. I would start with maldet and/or clamav scans of the account or seek out a qualified admin to inspect the running process(es)
     
    #2 quizknows, Apr 25, 2016
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Apr 25, 2016
  4. batlinuxman

    batlinuxman Registered

    Joined:
    Apr 25, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Home
    cPanel Access Level:
    Root Administrator
    Hello,

    I forgot to mention. I already did maldet scan and it did not found anything. I have maldet and clamv installed as well inotify setup.

    For the processus, I do not know to check or what to do.
     
    #4 batlinuxman, Apr 25, 2016
  5. batlinuxman

    batlinuxman Registered

    Joined:
    Apr 25, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Home
    cPanel Access Level:
    Root Administrator
    Also, can someone please explain why I have tcp connection to 217.23.12.139 from my server. When I do netstat, it show's
    tcp 0 1 my.server.ip:44601 217.23.12.139:80 SYN_SENT
    I cannot find the source from where the server is sending the connection.
     
    #5 batlinuxman, Apr 26, 2016
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    use lsof, i.e. "lsof -i :80" to show port 80 connections. You need to find what process id (PID) owns that TCP connection.

    You'll have to sort through the legitimate incoming http connections, but that outbound port 80 connection is likely either a wget or a malicious process. With lsof you can find the pid that owns that network connection.
     
    #6 quizknows, Apr 28, 2016
(You must log in or sign up to post here.)
Loading...
Similar Threads - Joomla Suspicious process
  1. bosprickly

    Using cPanel to configure VPS for Joomla 3.7x and PHP 7.1

    bosprickly, Aug 12, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    505
    cPanelMichael
    Aug 14, 2017
  2. a_sargent

    Error 403 File not Found using Joomla

    a_sargent, Mar 6, 2017, in forum: General Discussion
    Replies:
    1
    Views:
    599
    Infopro
    Mar 6, 2017
  3. Zabidin

    Joomla 2.5 edit problem

    Zabidin, Nov 30, 2016, in forum: General Discussion
    Replies:
    3
    Views:
    536
    Zabidin
    Nov 30, 2016
  4. dcusimano

    lfd reporting excessive resource usage / suspicious process "spamd child"

    dcusimano, May 16, 2018, in forum: Security
    Replies:
    4
    Views:
    1,729
    cPanelLauren
    Oct 10, 2018
  5. Greg M

    CSF/LFD constantly flags Scalar-List-Utils as suspicious

    Greg M, May 14, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    123
    cPanelMichael
    May 15, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice