The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd[15589]: *System Exploit* has detected a possible root compromise (admin = UID 0)

Discussion in 'Security' started by ramindia, Apr 13, 2011.

  1. ramindia

    ramindia Well-Known Member

    Joined:
    Apr 3, 2011
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    Hi

    we have recently installed plugin ConfigServer Security & Firewall - csf v5.19

    i get log like this any suggestion ( due to security reason USER and Domain name changed)


    Apr 13 11:39:26 lfd[13641]: *User Processing* PID:31247 Kill:0 User:USER Time:12681 EXE:/usr/local/cpanel/bin/cpuwatch CMD:/usr/local/cpanel/bin/logrunner 4.0 /usr/local/cpanel/3rdparty/bin/english/webalizer -N 10 -D /home/USER/tmp/webalizer/dns_cache.db -R 250 -p -n domain.com -o /home/USER/tmp/webalizer /usr/local/apache/domlogs/domain.com.bkup
    Apr 13 11:39:26 lfd[13641]: *User Processing* PID:31245 Kill:0 User:USER Time:12681 EXE:/usr/bin/perl CMD:cpanellogd - http logs for USER
    Apr 13 11:43:20 lfd[14011]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 11:48:24 lfd[14269]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 11:53:36 lfd[14558]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 11:58:30 lfd[14884]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:01:13 lfd[15223]: *Suspicious Process* PID:14972 User:USER Uptime:72 secs EXE:/usr/bin/php CMD:php /home/USER/public_html/webmaster/wm_auto.php
    Apr 13 12:03:35 lfd[15309]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:08:35 lfd[15589]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:13:25 lfd[15916]: *LOAD* 5 minute load average is 7.78, threshold is 6 - email sent
    Apr 13 12:13:35 lfd[15932]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:18:35 lfd[16213]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:23:39 lfd[16509]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:28:44 lfd[16878]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:33:47 lfd[17232]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:38:47 lfd[17547]: *System Exploit* has detected a possible root compromise (admin = UID 0)
    Apr 13 12:39:32 lfd[17554]: *User Processing* PID:31247 Kill:0 User:USER Time:16287 EXE:/usr/local/cpanel/bin/cpuwatch CMD:/usr/local/cpanel/bin/logrunner 4.0 /usr/local/cpanel/3rdparty/bin/english/webalizer -N 10 -D /home/USER/tmp/webalizer/dns_cache.db -R 250 -p -n adomain.com -o /home/USER/tmp/webalizer /usr/local/apache/domlogs/domain.com.bkup
    Apr 13 12:39:32 lfd[17554]: *User Processing* PID:31245 Kill:0 User:USER Time:16287 EXE:/usr/bin/perl CMD:cpanellogd - http logs for USER
    Apr 13 12:43:49 lfd[17856]: *System Exploit* has detected a possible root compromise (admin = UID 0)
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  3. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Re: lfd[15589]: *System Exploit* has detected a possible root compromise (admin = UID

    If you get this at the moment you are logged in you could enter the command "top" in order to find out what these processes that the warning message is referring to are.
     

Share This Page