Joomla Suspicious process running under user homepage index.php

[batlinuxman]

Hello,

I am long time user of Cpanel but I am asking a favor for the first time

Hope you guys can help me out.

I have few joomla website with cpanel. Some of them are working well but one joomla website is causing me the issue.

It is taking long time to load the website and I am getting alert from email (see message below)

It's say that my index.php file might exploited ???
Also, please find the index.php file too.

I tried using original index.php file of joomla but the same issue : long time loading and alert email.

My server info :

• CENTOS 6.7 x86_64 standard – cl-t181-105cl

• WHM 56.0 (build 5)

• I have root access to the server

• Iptables used

• CSF activated

• Maldet activated

Time: Mon Apr 23 08:17:30 2016 -0400

PID: 6893 (Parent PID:4091)
Account: username
Uptime: 102 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/username/public_html/index.php


Network connections by the process (if any):

tcp: myserverip:58446 -> 217.23.12.139:80


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00bb8000 r-xp 00000000 08:05 46142352 /usr/bin/php
00db7000-00e7e000 rw-p 007b7000 08:05 46142352 /usr/bin/php
00e7e000-00ea2000 rw-p 00000000 00:00 0
019b1000-021d3000 rw-p 00000000 00:00 0 [heap]
7f12bbc3a000-7f12bbf87000 rw-p 00000000 00:00 0
7f12bbf87000-7f12bc000000 r--s 00000000 08:05 10225276 /var/db/nscd/hosts
7f12bc000000-7f12bc021000 rw-p 00000000 00:00 0
7f12bc021000-7f12c0000000 ---p 00000000 00:00 0
7f12c0028000-7f12c003e000 r-xp 00000000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c003e000-7f12c023d000 ---p 00016000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c023d000-7f12c023e000 rw-p 00015000 08:05 37486594 /lib64/libgcc_s-4.4.7-20120601.so.1
7f12c023e000-7f12c023f000 ---p 00000000 00:00 0
7f12c023f000-7f12c0c3f000 rw-p 00000000 00:00 0
7f12c0c3f000-7f12c0c45000 r-xp 00000000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0c45000-7f12c0e45000 ---p 00006000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0e45000-7f12c0e46000 rw-p 00006000 08:05 48891741 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7f12c0e46000-7f12c0efe000 r-xp 00000000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c0efe000-7f12c10fd000 ---p 000b8000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c10fd000-7f12c1102000 rw-p 000b7000 08:05 48891586 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7f12c1102000-7f12c1118000 r-xp 00000000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c1118000-7f12c1318000 ---p 00016000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c1318000-7f12c131b000 rw-p 00016000 08:05 48891735 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7f12c131b000-7f12c133a000 r-xp 00000000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c133a000-7f12c153a000 ---p 0001f000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c153a000-7f12c153f000 rw-p 0001f000 08:05 48891322 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so
7f12c153f000-7f12c1542000 rw-p 00000000 00:00 0
7f12c1542000-7f12c155f000 r-xp 00000000 08:05 37486678 /lib64/libselinux.so.1
7f12c155f000-7f12c175e000 ---p 0001d000 08:05 37486678 /lib64/libselinux.so.1
7f12c175e000-7f12c175f000 r--p 0001c000 08:05 37486678 /lib64/libselinux.so.1
7f12c175f000-7f12c1760000 rw-p 0001d000 08:05 37486678 /lib64/libselinux.so.1
7f12c1760000-7f12c1761000 rw-p 00000000 00:00 0
7f12c1761000-7f12c1763000 r-xp 00000000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1763000-7f12c1963000 ---p 00002000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1963000-7f12c1964000 rw-p 00002000 08:05 46139958 /usr/lib64/libXau.so.6.0.0
7f12c1964000-7f12c1966000 r-xp 00000000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1966000-7f12c1b65000 ---p 00002000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b65000-7f12c1b66000 r--p 00001000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b66000-7f12c1b67000 rw-p 00002000 08:05 37486804 /lib64/libkeyutils.so.1.3
7f12c1b67000-7f12c1b71000 r-xp 00000000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1b71000-7f12c1d70000 ---p 0000a000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d70000-7f12c1d71000 r--p 00009000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d71000-7f12c1d72000 rw-p 0000a000 08:05 37486813 /lib64/libkrb5support.so.0.1
7f12c1d72000-7f12c1d90000 r-xp 00000000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1d90000-7f12c1f8f000 ---p 0001e000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1f8f000-7f12c1f90000 rw-p 0001d000 08:05 46140002 /usr/lib64/libxcb.so.1.1.0
7f12c1f90000-7f12c1fa7000 r-xp 00000000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c1fa7000-7f12c21a7000 ---p 00017000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21a7000-7f12c21a8000 r--p 00017000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21a8000-7f12c21b3000 rw-p 00018000 08:05 37486665 /lib64/libaudit.so.1.0.0
7f12c21b3000-7f12c21ca000 r-xp 00000000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c21ca000-7f12c23ca000 ---p 00017000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23ca000-7f12c23cb000 r--p 00017000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23cb000-7f12c23cc000 rw-p 00018000 08:05 37486631 /lib64/libpthread-2.12.so
7f12c23cc000-7f12c23d0000 rw-p 00000000 00:00 0
7f12c23d0000-7f12c23d2000 r-xp 00000000 08:05 37486597 /lib64/libfreebl3.so
7f12c23d2000-7f12c25d1000 ---p 00002000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d1000-7f12c25d2000 r--p 00001000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d2000-7f12c25d3000 rw-p 00002000 08:05 37486597 /lib64/libfreebl3.so
7f12c25d3000-7f12c25e9000 r-xp 00000000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c25e9000-7f12c27e9000 ---p 00016000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27e9000-7f12c27ea000 r--p 00016000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27ea000-7f12c27eb000 rw-p 00017000 08:05 37486633 /lib64/libresolv-2.12.so
7f12c27eb000-7f12c27ed000 rw-p 00000000 00:00 0
7f12c27ed000-7f12c2977000 r-xp 00000000 08:05 37486607 /lib64/libc-2.12.so
7f12c2977000-7f12c2b77000 ---p 0018a000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b77000-7f12c2b7b000 r--p 0018a000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b7b000-7f12c2b7c000 rw-p 0018e000 08:05 37486607 /lib64/libc-2.12.so
7f12c2b7c000-7f12c2b81000 rw-p 00000000 00:00 0
7f12c2b81000-7f12c2cd1000 r-xp 00000000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2cd1000-7f12c2ed0000 ---p 00150000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2ed0000-7f12c2eda000 rw-p 0014f000 08:05 30671843 /opt/xml2/lib/libxml2.so.2.9.2
7f12c2eda000-7f12c2edb000 rw-p 00000000 00:00 0
7f12c2edb000-7f12c2f73000 r-xp 00000000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c2f73000-7f12c3172000 ---p 00098000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c3172000-7f12c3178000 rw-p 00097000 08:05 46138358 /usr/lib64/libfreetype.so.6.3.22
7f12c3178000-7f12c31aa000 r-xp 00000000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c31aa000-7f12c33a9000 ---p 00032000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c33a9000-7f12c33aa000 rw-p 00031000 08:05 37486692 /lib64/libidn.so.11.6.1
7f12c33aa000-7f12c3407000 r-xp 00000000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3407000-7f12c3606000 ---p 0005d000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3606000-7f12c3609000 rw-p 0005c000 08:05 30671396 /opt/curlssl/lib/libcurl.so.4.3.0
7f12c3609000-7f12c360c000 r-xp 00000000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c360c000-7f12c380b000 ---p 00003000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380b000-7f12c380c000 r--p 00002000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380c000-7f12c380d000 rw-p 00003000 08:05 37486671 /lib64/libcom_err.so.2.1
7f12c380d000-7f12c3836000 r-xp 00000000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3836000-7f12c3a36000 ---p 00029000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a36000-7f12c3a37000 r--p 00029000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a37000-7f12c3a38000 rw-p 0002a000 08:05 37486809 /lib64/libk5crypto.so.3.1
7f12c3a38000-7f12c3a39000 rw-p 00000000 00:00 0
7f12c3a39000-7f12c3b14000 r-xp 00000000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3b14000-7f12c3d14000 ---p 000db000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d14000-7f12c3d1e000 r--p 000db000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d1e000-7f12c3d20000 rw-p 000e5000 08:05 37486811 /lib64/libkrb5.so.3.3
7f12c3d20000-7f12c3d61000 r-xp 00000000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3d61000-7f12c3f61000 ---p 00041000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f61000-7f12c3f62000 r--p 00041000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f62000-7f12c3f64000 rw-p 00042000 08:05 37486805 /lib64/libgssapi_krb5.so.2.2
7f12c3f64000-7f12c3f7a000 r-xp 00000000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c3f7a000-7f12c4179000 ---p 00016000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c4179000-7f12c417a000 r--p 00015000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c417a000-7f12c417b000 rw-p 00016000 08:05 37486617 /lib64/libnsl-2.12.so
7f12c417b000-7f12c417d000 rw-p 00000000 00:00 0
7f12c417d000-7f12c417f000 r-xp 00000000 08:05 37486613 /lib64/libdl-2.12.so
7f12c417f000-7f12c437f000 ---p 00002000 08:05 37486613 /lib64/libdl-2.12.so
7f12c437f000-7f12c4380000 r--p 00002000 08:05 37486613 /lib64/libdl-2.12.so
7f12c4380000-7f12c4381000 rw-p 00003000 08:05 37486613 /lib64/libdl-2.12.so
7f12c4381000-7f12c4404000 r-xp 00000000 08:05 37486615 /lib64/libm-2.12.so
7f12c4404000-7f12c4603000 ---p 00083000 08:05 37486615 /lib64/libm-2.12.so
7f12c4603000-7f12c4604000 r--p 00082000 08:05 37486615 /lib64/libm-2.12.so
7f12c4604000-7f12c4605000 rw-p 00083000 08:05 37486615 /lib64/libm-2.12.so
7f12c4605000-7f12c460c000 r-xp 00000000 08:05 37486635 /lib64/librt-2.12.so
7f12c460c000-7f12c480b000 ---p 00007000 08:05 37486635 /lib64/librt-2.12.so
7f12c480b000-7f12c480c000 r--p 00006000 08:05 37486635 /lib64/librt-2.12.so
7f12c480c000-7f12c480d000 rw-p 00007000 08:05 37486635 /lib64/librt-2.12.so
7f12c480d000-7f12c4850000 r-xp 00000000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4850000-7f12c4a4f000 ---p 00043000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4a4f000-7f12c4a50000 rw-p 00042000 08:05 30671950 /opt/pcre/lib/libpcre.so.1.2.6
7f12c4a50000-7f12c4a8f000 r-xp 00000000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4a8f000-7f12c4c8f000 ---p 0003f000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4c8f000-7f12c4c90000 rw-p 0003f000 08:05 46138408 /usr/lib64/libjpeg.so.62.0.0
7f12c4c90000-7f12c4ca0000 rw-p 00000000 00:00 0
7f12c4ca0000-7f12c4cc5000 r-xp 00000000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4cc5000-7f12c4ec5000 ---p 00025000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4ec5000-7f12c4ec6000 rw-p 00025000 08:05 46138517 /usr/lib64/libpng12.so.0.49.0
7f12c4ec6000-7f12c4ed7000 r-xp 00000000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c4ed7000-7f12c50d6000 ---p 00011000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c50d6000-7f12c50d7000 rw-p 00010000 08:05 46140478 /usr/lib64/libXpm.so.4.11.0
7f12c50d7000-7f12c520e000 r-xp 00000000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c520e000-7f12c540e000 ---p 00137000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c540e000-7f12c5414000 rw-p 00137000 08:05 46140006 /usr/lib64/libX11.so.6.3.0
7f12c5414000-7f12c5420000 r-xp 00000000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5420000-7f12c5620000 ---p 0000c000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5620000-7f12c5621000 r--p 0000c000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5621000-7f12c5622000 rw-p 0000d000 08:05 37486733 /lib64/libpam.so.0.82.2
7f12c5622000-7f12c562b000 r-xp 00000000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c562b000-7f12c582a000 ---p 00009000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c582a000-7f12c582b000 rw-p 00008000 08:05 46141113 /usr/lib64/libltdl.so.7.2.1
7f12c582b000-7f12c5855000 r-xp 00000000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5855000-7f12c5a54000 ---p 0002a000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5a54000-7f12c5a58000 rw-p 00029000 08:05 30670863 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f12c5a58000-7f12c5a5d000 rw-p 00000000 00:00 0
7f12c5a5d000-7f12c5d37000 r-xp 00000000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5d37000-7f12c5f36000 ---p 002da000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5f36000-7f12c5fba000 rw-p 002d9000 08:05 46142060 /usr/lib64/libmysqlclient.so.18.0.0
7f12c5fba000-7f12c5fbf000 rw-p 00000000 00:00 0
7f12c5fbf000-7f12c5fd4000 r-xp 00000000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c5fd4000-7f12c61d3000 ---p 00015000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d3000-7f12c61d4000 r--p 00014000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d4000-7f12c61d5000 rw-p 00015000 08:05 37486658 /lib64/libz.so.1.2.3
7f12c61d5000-7f12c6237000 r-xp 00000000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6237000-7f12c6436000 ---p 00062000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6436000-7f12c643a000 r--p 00061000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c643a000-7f12c6441000 rw-p 00065000 08:05 46139534 /usr/lib64/libssl.so.1.0.1e
7f12c6441000-7f12c65fb000 r-xp 00000000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c65fb000-7f12c67fa000 ---p 001ba000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c67fa000-7f12c6815000 r--p 001b9000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c6815000-7f12c6821000 rw-p 001d4000 08:05 46139532 /usr/lib64/libcrypto.so.1.0.1e
7f12c6821000-7f12c6825000 rw-p 00000000 00:00 0
7f12c6825000-7f12c682c000 r-xp 00000000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c682c000-7f12c6a2c000 ---p 00007000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2c000-7f12c6a2d000 r--p 00007000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2d000-7f12c6a2e000 rw-p 00008000 08:05 37486611 /lib64/libcrypt-2.12.so
7f12c6a2e000-7f12c6a5c000 rw-p 00000000 00:00 0
7f12c6a5c000-7f12c6a7c000 r-xp 00000000 08:05 37486996 /lib64/ld-2.12.so
7f12c6a99000-7f12c6ace000 r--s 00000000 08:05 10225277 /var/db/nscd/services
7f12c6ace000-7f12c6c70000 rw-p 00000000 00:00 0
7f12c6c7a000-7f12c6c7b000 rw-p 00000000 00:00 0
7f12c6c7b000-7f12c6c7c000 r--p 0001f000 08:05 37486996 /lib64/ld-2.12.so
7f12c6c7c000-7f12c6c7d000 rw-p 00020000 08:05 37486996 /lib64/ld-2.12.so
7f12c6c7d000-7f12c6c7e000 rw-p 00000000 00:00 0
7ffca5b28000-7ffca5b3d000 rw-p 00000000 00:00 0 [stack]
7ffca5bd0000-7ffca5bd1000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

<?php
/**
* @package             Joomla.Site
* @copyright   Copyright (C) 2005 - 2014 Open Source Matters, Inc. All rights reserved.
* @license             GNU General Public License version 2 or later; see LICENSE.txt
*/
define('FILES_BASE', dirname(__FILE__));

if (file_exists(FILES_BASE.'/tmp/defines.php')) {
    require_once FILES_BASE.'/tmp/defines.php';
}


// Set flag that this is a parent file.
define('_JEXEC', 1);
define('DS', DIRECTORY_SEPARATOR);

if (file_exists(dirname(__FILE__) . '/defines.php')) {
        include_once dirname(__FILE__) . '/defines.php';
}

if (!defined('_JDEFINES')) {
        define('JPATH_BASE', dirname(__FILE__));
        require_once JPATH_BASE.'/includes/defines.php';
}

require_once JPATH_BASE.'/includes/framework.php';

// Mark afterLoad in the profiler.
JDEBUG ? $_PROFILER->mark('afterLoad') : null;

// Instantiate the application.
$app = JFactory::getApplication('site');

// Initialise the application.
$app->initialise();

// Mark afterIntialise in the profiler.
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;

// Route the application.
$app->route();

// Mark afterRoute in the profiler.
JDEBUG ? $_PROFILER->mark('afterRoute') : null;

// Dispatch the application.
$app->dispatch();

// Mark afterDispatch in the profiler.
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;

// Render the application.
$app->render();

// Mark afterRender in the profiler.
JDEBUG ? $_PROFILER->mark('afterRender') : null;

// Return the response.
echo $app;

Please advice

Thank you

 

[quizknows]

The "problem" with joomla is it uses index.php for almost everything, usually query strings (i.e. the info after index.php?) define what is being done.

It could be a bad or exploited plugin (likely) or other malware issue. I would start with maldet and/or clamav scans of the account or seek out a qualified admin to inspect the running process(es)

 

[cPanelMichael]

Hello

In addition to the previous post, you can find a list of guidelines on securing your server going forward at:

Security - cPanel Knowledge Base - cPanel Documentation

Also, you can find a list of system administration services at:

System Administration Services

Thank you.

 

[batlinuxman]

Hello,

I forgot to mention. I already did maldet scan and it did not found anything. I have maldet and clamv installed as well inotify setup.

For the processus, I do not know to check or what to do.

 

[batlinuxman]

Also, can someone please explain why I have tcp connection to 217.23.12.139 from my server. When I do netstat, it show's
tcp 0 1 my.server.ip:44601 217.23.12.139:80 SYN_SENT
I cannot find the source from where the server is sending the connection.

 

[quizknows]

use lsof, i.e. "lsof -i :80" to show port 80 connections. You need to find what process id (PID) owns that TCP connection.

You'll have to sort through the legitimate incoming http connections, but that outbound port 80 connection is likely either a wget or a malicious process. With lsof you can find the pid that owns that network connection.