The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ldf suspicious process

Discussion in 'General Discussion' started by Morley, Jan 9, 2009.

  1. Morley

    Morley Well-Known Member

    Joined:
    Apr 24, 2007
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Today I received this message and I am not sure if it was an attempted email attack or spamd or spamassasin went crazy. Can anyone tell me what this looks like?
    __________________________________
    Time: Fri Jan 9 13:19:13 2009 -0800
    PID: 22606
    Account: magic
    Uptime: 53530 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:42200


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    /home/magic/.spamassassin/bayes_toks
    /home/magic/.spamassassin/bayes_seen


    Memory maps by the process (if any):

    00111000-0011a000 r-xp 00000000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
    0011a000-0011b000 rwxp 00008000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
    0011b000-0014a000 r-xp 00000000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    0014a000-0014b000 rwxp 0002e000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    001b3000-001b6000 r-xp 00000000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    001b6000-001b7000 rwxp 00002000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    001b7000-00283000 r-xp 00000000 03:05 311452 /lib/tls/i686/libdb-4.2.so
    00283000-00285000 rwxp 000cc000 03:05 311452 /lib/tls/i686/libdb-4.2.so
    00366000-00369000 r-xp 00000000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    00369000-0036a000 rwxp 00002000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    00376000-00378000 r-xp 00000000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    00378000-00379000 rwxp 00001000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    003ef000-003f1000 r-xp 00000000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    003f1000-003f2000 rwxp 00001000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    00427000-00431000 r-xp 00000000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    00431000-00432000 rwxp 00009000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    0052a000-0052e000 r-xp 00000000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
    0052e000-0052f000 rwxp 00003000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
    00537000-0053c000 r-xp 00000000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    0053c000-0053d000 rwxp 00004000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    006c5000-006db000 r-xp 00000000 03:05 311416 /lib/ld-2.3.4.so
    006db000-006dc000 r-xp 00015000 03:05 311416 /lib/ld-2.3.4.so
    006dc000-006dd000 rwxp 00016000 03:05 311416 /lib/ld-2.3.4.so
    006df000-00808000 r-xp 00000000 03:05 311433 /lib/tls/libc-2.3.4.so
    00808000-0080a000 r-xp 00128000 03:05 311433 /lib/tls/libc-2.3.4.so
    0080a000-0080c000 rwxp 0012a000 03:05 311433 /lib/tls/libc-2.3.4.so
    0080c000-0080e000 rwxp 0080c000 00:00 0
    00810000-00812000 r-xp 00000000 03:05 311456 /lib/libdl-2.3.4.so
    00812000-00813000 r-xp 00001000 03:05 311456 /lib/libdl-2.3.4.so
    00813000-00814000 rwxp 00002000 03:05 311456 /lib/libdl-2.3.4.so
    00816000-00837000 r-xp 00000000 03:05 311461 /lib/tls/libm-2.3.4.so
    00837000-00838000 r-xp 00020000 03:05 311461 /lib/tls/libm-2.3.4.so
    00838000-00839000 rwxp 00021000 03:05 311461 /lib/tls/libm-2.3.4.so
    0084d000-0085b000 r-xp 00000000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085b000-0085c000 r-xp 0000d000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085c000-0085d000 rwxp 0000e000 03:05 311447 /lib/tls/libpthread-2.3.4.so
    0085d000-0085f000 rwxp 0085d000 00:00 0
    00861000-00869000 r-xp 00000000 03:05 311513 /lib/libcrypt-2.3.4.so
    00869000-0086a000 r-xp 00007000 03:05 311513 /lib/libcrypt-2.3.4.so
    0086a000-0086b000 rwxp 00008000 03:05 311513 /lib/libcrypt-2.3.4.so
    0086b000-00892000 rwxp 0086b000 00:00 0
    00894000-008a7000 r-xp 00000000 03:05 311498 /lib/libnsl-2.3.4.so
    008a7000-008a8000 r-xp 00012000 03:05 311498 /lib/libnsl-2.3.4.so
    008a8000-008a9000 rwxp 00013000 03:05 311498 /lib/libnsl-2.3.4.so
    008a9000-008ab000 rwxp 008a9000 00:00 0
    00914000-00917000 r-xp 00000000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    00917000-00918000 rwxp 00002000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    009df000-009e4000 r-xp 00000000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    009e4000-009e5000 rwxp 00004000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    00a24000-00a28000 r-xp 00000000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    00a28000-00a29000 rwxp 00003000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    00aaa000-00ab3000 r-xp 00000000 03:05 311367 /lib/libnss_files-2.3.4.so
    00ab3000-00ab4000 r-xp 00008000 03:05 311367 /lib/libnss_files-2.3.4.so
    00ab4000-00ab5000 rwxp 00009000 03:05 311367 /lib/libnss_files-2.3.4.so
    00b75000-00b77000 r-xp 00000000 03:05 311520 /lib/libutil-2.3.4.so
    00b77000-00b78000 r-xp 00001000 03:05 311520 /lib/libutil-2.3.4.so
    00b78000-00b79000 rwxp 00002000 03:05 311520 /lib/libutil-2.3.4.so
    00c3e000-00c41000 r-xp 00000000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    00c41000-00c42000 rwxp 00002000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    00c66000-00c6e000 r-xp 00000000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c6e000-00c6f000 r-xp 00007000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c6f000-00c70000 rwxp 00008000 03:05 311462 /lib/tls/librt-2.3.4.so
    00c70000-00c7a000 rwxp 00c70000 00:00 0
    00cf7000-00cfb000 r-xp 00000000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
    00cfb000-00cfc000 rwxp 00003000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
    00d4a000-00d60000 r-xp 00000000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    00d60000-00d61000 rwxp 00015000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    00e3c000-00e40000 r-xp 00000000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00e40000-00e41000 rwxp 00003000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00efc000-00efe000 r-xp 00000000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    00efe000-00eff000 rwxp 00001000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    00faf000-00fb2000 r-xp 00000000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00fb2000-00fb3000 rwxp 00002000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    08047000-08115000 r-xp 00000000 03:02 1100988 /usr/bin/perl
    08115000-0811e000 rw-p 000ce000 03:02 1100988 /usr/bin/perl
    0811e000-08120000 rw-p 0811e000 00:00 0
    09b49000-0ba18000 rw-p 09b49000 00:00 0
    b7d98000-b7e4a000 rw-p b7d98000 00:00 0
    b7e6e000-b7eb3000 rw-p b7e6e000 00:00 0
    b7eb3000-b7ee7000 rw-p b7f73000 00:00 0
    b7f21000-b7f69000 rw-p b7f21000 00:00 0
    b7f69000-b7f9d000 rw-p b7f9d000 00:00 0
    b7fc9000-b7fcc000 rw-p b7fc9000 00:00 0
    bfebd000-c0000000 rw-p bfebd000 00:00 0
    ffffe000-fffff000 r-xp 00000000 00:00 0
     
  2. BMCK

    BMCK Member

    Joined:
    May 24, 2006
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I received the same messages today... :confused:
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  4. rharvey32

    rharvey32 Member

    Joined:
    Apr 4, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    ldf fix for spamd and awstats.pl

    this is what I did and it fixed it.
    choose firewall
    choose ldf process ignore.

    then add these to your list.

    exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
    exe:/usr/bin/perl cmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats.pl
    cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
    cmd:spamd child
    exe:/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
     
Loading...

Share This Page