Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd on <host>: Suspicious process running under user <user>

Discussion in 'Security' started by augustin, Oct 25, 2013.

  1. augustin

    augustin Registered

    Joined:
    Mar 22, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Recently uploaded a Joomla site to a temporary folder. Now everytime I access /administrator I keep getting this email:

    Code:
    Time:    Fri Oct 25 18:38:19 2013 +0800
    PID:    32537 (Parent PID:32501)
    Account: <user>
    Uptime:  642 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php /home/<user>/public_html/<temp_dir>/administrator/index.php
    
    
    Network connections by the process (if any):
    
    tcp: 192.190.84.47:57863 -> 72.21.81.253:80
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    08048000-08774000 r-xp 00000000 00:41 60168225                          /usr/bin/php
    08774000-08783000 rw-p 0072b000 00:41 60168225                          /usr/bin/php
    08783000-087a1000 rw-p 00000000 00:00 0
    09e9c000-0a6aa000 rw-p 00000000 00:00 0                                  [heap]
    b5800000-b5821000 rw-p 00000000 00:00 0
    b5821000-b5900000 ---p 00000000 00:00 0
    b594f000-b595b000 r-xp 00000000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595b000-b595c000 r--p 0000b000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595c000-b595d000 rw-p 0000c000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595d000-b597a000 r-xp 00000000 00:41 59248204                          /lib/libgcc_s-4.4.7-20120601.so.1
    b597a000-b597b000 rw-p 0001d000 00:41 59248204                          /lib/libgcc_s-4.4.7-20120601.so.1
    b597b000-b597c000 ---p 00000000 00:00 0
    b597c000-b637c000 rwxp 00000000 00:00 0
    b637c000-b6449000 r-xp 00000000 00:41 62261158                          /usr/local/Zend/lib/Guard-5.5.0/php-5.3.x/ZendGuardLoader.so
    b6449000-b645b000 rw-p 000cd000 00:41 62261158                          /usr/local/Zend/lib/Guard-5.5.0/php-5.3.x/ZendGuardLoader.so
    b645b000-b645e000 rw-p 00000000 00:00 0
    b645e000-b6534000 r-xp 00000000 00:41 62261157                          /usr/local/IonCube/ioncube_loader_lin_5.3.so
    b6534000-b6537000 rw-p 000d6000 00:41 62261157                          /usr/local/IonCube/ioncube_loader_lin_5.3.so
    b6537000-b6561000 rw-p 00000000 00:00 0
    b659b000-b65a0000 r-xp 00000000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a0000-b65a1000 r--p 00004000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a1000-b65a2000 rw-p 00005000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a2000-b65a6000 rw-p 00000000 00:00 0
    b65a6000-b65c3000 r-xp 00000000 00:41 59248311                          /lib/libselinux.so.1
    b65c3000-b65c4000 r--p 0001c000 00:41 59248311                          /lib/libselinux.so.1
    b65c4000-b65c5000 rw-p 0001d000 00:41 59248311                          /lib/libselinux.so.1
    b65c5000-b65c6000 rw-p 00000000 00:00 0
    b65c6000-b65c8000 r-xp 00000000 00:41 60692666                          /usr/lib/libXau.so.6.0.0
    b65c8000-b65c9000 rw-p 00001000 00:41 60692666                          /usr/lib/libXau.so.6.0.0
    b65c9000-b65e2000 r-xp 00000000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e2000-b65e3000 r--p 00018000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e3000-b65e4000 rw-p 00019000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e4000-b661e000 r-xp 00000000 00:41 59248276                          /lib/libnspr4.so
    b661e000-b661f000 r--p 00039000 00:41 59248276                          /lib/libnspr4.so
    b661f000-b6620000 rw-p 0003a000 00:41 59248276                          /lib/libnspr4.so
    b6620000-b6622000 rw-p 00000000 00:00 0
    b6622000-b6626000 r-xp 00000000 00:41 59248297                          /lib/libplc4.so
    b6626000-b6627000 r--p 00003000 00:41 59248297                          /lib/libplc4.so
    b6627000-b6628000 rw-p 00004000 00:41 59248297                          /lib/libplc4.so
    b6628000-b662b000 r-xp 00000000 00:41 59248298                          /lib/libplds4.so
    b662b000-b662c000 r--p 00002000 00:41 59248298                          /lib/libplds4.so
    b662c000-b662d000 rw-p 00003000 00:41 59248298                          /lib/libplds4.so
    b662d000-b662e000 rw-p 00000000 00:00 0
    b662e000-b664f000 r-xp 00000000 00:41 60692992                          /usr/lib/libnssutil3.so
    b664f000-b6652000 r--p 00020000 00:41 60692992                          /usr/lib/libnssutil3.so
    b6652000-b6653000 rw-p 00023000 00:41 60692992                          /usr/lib/libnssutil3.so
    b6653000-b6789000 r-xp 00000000 00:41 60692980                          /usr/lib/libnss3.so
    b6789000-b678c000 r--p 00135000 00:41 60692980                          /usr/lib/libnss3.so
    b678c000-b678e000 rw-p 00138000 00:41 60692980                          /usr/lib/libnss3.so
    b678e000-b67b6000 r-xp 00000000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b6000-b67b8000 r--p 00027000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b8000-b67b9000 rw-p 00029000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b9000-b67ed000 r-xp 00000000 00:41 60693076                          /usr/lib/libssl3.so
    b67ed000-b67ee000 r--p 00034000 00:41 60693076                          /usr/lib/libssl3.so
    b67ee000-b67ef000 rw-p 00035000 00:41 60693076                          /usr/lib/libssl3.so
    b67ef000-b67fc000 r-xp 00000000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fc000-b67fd000 r--p 0000d000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fd000-b67fe000 rw-p 0000e000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fe000-b67ff000 rw-p 00000000 00:00 0
    b67ff000-b6801000 r-xp 00000000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6801000-b6802000 r--p 00001000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6802000-b6803000 rw-p 00002000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6803000-b680d000 r-xp 00000000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680d000-b680e000 r--p 00009000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680e000-b680f000 rw-p 0000a000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680f000-b682e000 r-xp 00000000 00:41 60693188                          /usr/lib/libxcb.so.1.1.0
    b682e000-b682f000 rw-p 0001f000 00:41 60693188                          /usr/lib/libxcb.so.1.1.0
    b682f000-b6846000 r-xp 00000000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b6846000-b6847000 r--p 00016000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b6847000-b684c000 rw-p 00017000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b684c000-b6863000 r-xp 00000000 00:41 59248303                          /lib/libpthread-2.12.so
    b6863000-b6864000 r--p 00016000 00:41 59248303                          /lib/libpthread-2.12.so
    b6864000-b6865000 rw-p 00017000 00:41 59248303                          /lib/libpthread-2.12.so
    b6865000-b6868000 rw-p 00000000 00:00 0
    b6868000-b68b7000 r-xp 00000000 00:41 59248203                          /lib/libfreebl3.so
    b68b7000-b68b8000 r--p 0004e000 00:41 59248203                          /lib/libfreebl3.so
    b68b8000-b68b9000 rw-p 0004f000 00:41 59248203                          /lib/libfreebl3.so
    b68b9000-b68bd000 rw-p 00000000 00:00 0
    b68bd000-b68d2000 r-xp 00000000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d2000-b68d3000 ---p 00015000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d3000-b68d4000 r--p 00015000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d4000-b68d5000 rw-p 00016000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d5000-b68d7000 rw-p 00000000 00:00 0
    b68d7000-b6a67000 r-xp 00000000 00:41 59248173                          /lib/libc-2.12.so
    b6a67000-b6a68000 ---p 00190000 00:41 59248173                          /lib/libc-2.12.so
    b6a68000-b6a6a000 r--p 00190000 00:41 59248173                          /lib/libc-2.12.so
    b6a6a000-b6a6b000 rw-p 00192000 00:41 59248173                          /lib/libc-2.12.so
    b6a6b000-b6a6e000 rw-p 00000000 00:00 0
    b6a6e000-b6bd6000 r-xp 00000000 00:41 59515562                          /opt/xml2/lib/libxml2.so.2.9.0
    b6bd6000-b6bdb000 rw-p 00168000 00:41 59515562                          /opt/xml2/lib/libxml2.so.2.9.0
    b6bdb000-b6bdc000 rw-p 00000000 00:00 0
    b6bdc000-b6c1c000 r-xp 00000000 00:41 59515963                          /opt/xslt/lib/libxslt.so.1.1.27
    b6c1c000-b6c1d000 rw-p 00040000 00:41 59515963                          /opt/xslt/lib/libxslt.so.1.1.27
    b6c1d000-b6c69000 r-xp 00000000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c69000-b6c6a000 r--p 0004b000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c6a000-b6c6b000 rw-p 0004c000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c6b000-b6c6c000 rw-p 00000000 00:00 0
    b6c6c000-b6c9d000 r-xp 00000000 00:41 59248227                          /lib/libidn.so.11.6.1
    b6c9d000-b6c9e000 rw-p 00030000 00:41 59248227                          /lib/libidn.so.11.6.1
    b6c9e000-b6cf1000 r-xp 00000000 00:41 59377620                          /opt/curlssl/lib/libcurl.so.4.2.0
    b6cf1000-b6cf3000 rw-p 00052000 00:41 59377620                          /opt/curlssl/lib/libcurl.so.4.2.0
    b6cf3000-b6cf6000 r-xp 00000000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf6000-b6cf7000 r--p 00002000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf7000-b6cf8000 rw-p 00003000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf8000-b6d20000 r-xp 00000000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d20000-b6d21000 r--p 00028000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d21000-b6d22000 rw-p 00029000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d22000-b6d23000 rw-p 00000000 00:00 0
    b6d23000-b6df9000 r-xp 00000000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6df9000-b6dff000 r--p 000d5000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6dff000-b6e00000 rw-p 000db000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6e00000-b6e01000 rw-p 00000000 00:00 0
    b6e01000-b6e3f000 r-xp 00000000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e3f000-b6e40000 r--p 0003e000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e40000-b6e41000 rw-p 0003f000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e41000-b6e58000 r-xp 00000000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e58000-b6e59000 r--p 00016000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e59000-b6e5a000 rw-p 00017000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e5a000-b6e5c000 rw-p 00000000 00:00 0
    b6e5c000-b6ea0000 r-xp 00000000 00:41 59377729                          /opt/pcre/lib/libpcre.so.0.0.1
    b6ea0000-b6ea1000 rw-p 00043000 00:41 59377729                          /opt/pcre/lib/libpcre.so.0.0.1
    b6ea1000-b6ee7000 r-xp 00000000 00:41 60692912                          /usr/lib/libjpeg.so.62.0.0
    b6ee7000-b6ee8000 rw-p 00046000 00:41 60692912                          /usr/lib/libjpeg.so.62.0.0
    b6ee8000-b6ef8000 rw-p 00000000 00:00 0
    b6ef8000-b6f1f000 r-xp 00000000 00:41 60693034                          /usr/lib/libpng12.so.0.49.0
    b6f1f000-b6f20000 rw-p 00026000 00:41 60693034                          /usr/lib/libpng12.so.0.49.0
    b6f20000-b6f30000 r-xp 00000000 00:41 60692690                          /usr/lib/libXpm.so.4.11.0
    b6f30000-b6f31000 rw-p 00010000 00:41 60692690                          /usr/lib/libXpm.so.4.11.0
    b6f31000-b6f32000 rw-p 00000000 00:00 0
    b6f32000-b7067000 r-xp 00000000 00:41 60692663                          /usr/lib/libX11.so.6.3.0
    b7067000-b706b000 rw-p 00134000 00:41 60692663                          /usr/lib/libX11.so.6.3.0
    b706b000-b70ff000 r-xp 00000000 00:41 60692827                          /usr/lib/libfreetype.so.6.3.22
    b70ff000-b7103000 rw-p 00094000 00:41 60692827                          /usr/lib/libfreetype.so.6.3.22
    b7103000-b710f000 r-xp 00000000 00:41 59248290                          /lib/libpam.so.0.82.2
    b710f000-b7110000 r--p 0000b000 00:41 59248290                          /lib/libpam.so.0.82.2
    b7110000-b7111000 rw-p 0000c000 00:41 59248290                          /lib/libpam.so.0.82.2
    b7111000-b7165000 r-xp 00000000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b7165000-b7167000 r--p 00054000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b7167000-b716a000 rw-p 00056000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b716a000-b72df000 r-xp 00000000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72df000-b72e0000 ---p 00175000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72e0000-b72ee000 r--p 00175000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72ee000-b72f4000 rw-p 00183000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72f4000-b72f8000 rw-p 00000000 00:00 0
    b72f8000-b7301000 r-xp 00000000 00:41 60692941                          /usr/lib/libltdl.so.7.2.1
    b7301000-b7302000 rw-p 00008000 00:41 60692941                          /usr/lib/libltdl.so.7.2.1
    b7302000-b732f000 r-xp 00000000 00:41 59377684                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b732f000-b7332000 rw-p 0002c000 00:41 59377684                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b7332000-b7338000 rw-p 00000000 00:00 0
    b7338000-b75ee000 r-xp 00000000 00:41 60692968                          /usr/lib/libmysqlclient.so.18.0.0
    b75ee000-b7667000 rw-p 002b5000 00:41 60692968                          /usr/lib/libmysqlclient.so.18.0.0
    b7667000-b766a000 rw-p 00000000 00:00 0
    b766a000-b7671000 r-xp 00000000 00:41 59248309                          /lib/librt-2.12.so
    b7671000-b7672000 r--p 00006000 00:41 59248309                          /lib/librt-2.12.so
    b7672000-b7673000 rw-p 00007000 00:41 59248309                          /lib/librt-2.12.so
    b7673000-b7676000 r-xp 00000000 00:41 59248192                          /lib/libdl-2.12.so
    b7676000-b7677000 r--p 00002000 00:41 59248192                          /lib/libdl-2.12.so
    b7677000-b7678000 rw-p 00003000 00:41 59248192                          /lib/libdl-2.12.so
    b7678000-b76a0000 r-xp 00000000 00:41 59248260                          /lib/libm-2.12.so
    b76a0000-b76a1000 r--p 00027000 00:41 59248260                          /lib/libm-2.12.so
    b76a1000-b76a2000 rw-p 00028000 00:41 59248260                          /lib/libm-2.12.so
    b76a2000-b76a3000 rw-p 00000000 00:00 0
    b76a3000-b76b6000 r-xp 00000000 00:41 59515958                          /opt/xslt/lib/libexslt.so.0.8.16
    b76b6000-b76b7000 rw-p 00012000 00:41 59515958                          /opt/xslt/lib/libexslt.so.0.8.16
    b76b7000-b76c9000 r-xp 00000000 00:41 59248334                          /lib/libz.so.1.2.3
    b76c9000-b76ca000 r--p 00011000 00:41 59248334                          /lib/libz.so.1.2.3
    b76ca000-b76cb000 rw-p 00012000 00:41 59248334                          /lib/libz.so.1.2.3
    b76cb000-b76d2000 r-xp 00000000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d2000-b76d3000 r--p 00007000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d3000-b76d4000 rw-p 00008000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d4000-b76fb000 rw-p 00000000 00:00 0
    b7703000-b7704000 rw-p 00000000 00:00 0
    b7704000-b7705000 r-xp 00000000 00:00 0                                  [vdso]
    b7705000-b7723000 r-xp 00000000 00:41 59248149                          /lib/ld-2.12.so
    b7723000-b7724000 r--p 0001d000 00:41 59248149                          /lib/ld-2.12.so
    b7724000-b7725000 rw-p 0001e000 00:41 59248149                          /lib/ld-2.12.so
    bf9cc000-bf9e0000 rwxp 00000000 00:00 0                                  [stack]
    bf9e0000-bf9e1000 rw-p 00000000 00:00 0 
    What does this mean? Someone please help.
     
  2. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi

    Your php handler is FCGI and CSF is installed on your server. FCGI process caches/remain in memory for faster execution and speed. LFD sent you warning because it was running from past 642 seconds. You can ignore it. You should white-list the process by adding the below lines to /etc/csf/csf.pignore and restart LFD.

    cmd:/usr/bin/php /home/<user>/public_html/<temp_dir>/administrator/index.php
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. augustin

    augustin Registered

    Joined:
    Mar 22, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Thanks for the quick reply. Added the ignore line.

    I was worried it might be an injected script on one of the extensions since I don't know where it pulled the IP 72.21.81.253. IP lookup points to some private sites.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice