The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on <host>: Suspicious process running under user <user>

Discussion in 'Security' started by augustin, Oct 25, 2013.

  1. augustin

    augustin Registered

    Joined:
    Mar 22, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Recently uploaded a Joomla site to a temporary folder. Now everytime I access /administrator I keep getting this email:

    Code:
    Time:    Fri Oct 25 18:38:19 2013 +0800
    PID:    32537 (Parent PID:32501)
    Account: <user>
    Uptime:  642 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php /home/<user>/public_html/<temp_dir>/administrator/index.php
    
    
    Network connections by the process (if any):
    
    tcp: 192.190.84.47:57863 -> 72.21.81.253:80
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    08048000-08774000 r-xp 00000000 00:41 60168225                          /usr/bin/php
    08774000-08783000 rw-p 0072b000 00:41 60168225                          /usr/bin/php
    08783000-087a1000 rw-p 00000000 00:00 0
    09e9c000-0a6aa000 rw-p 00000000 00:00 0                                  [heap]
    b5800000-b5821000 rw-p 00000000 00:00 0
    b5821000-b5900000 ---p 00000000 00:00 0
    b594f000-b595b000 r-xp 00000000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595b000-b595c000 r--p 0000b000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595c000-b595d000 rw-p 0000c000 00:41 59248281                          /lib/libnss_files-2.12.so
    b595d000-b597a000 r-xp 00000000 00:41 59248204                          /lib/libgcc_s-4.4.7-20120601.so.1
    b597a000-b597b000 rw-p 0001d000 00:41 59248204                          /lib/libgcc_s-4.4.7-20120601.so.1
    b597b000-b597c000 ---p 00000000 00:00 0
    b597c000-b637c000 rwxp 00000000 00:00 0
    b637c000-b6449000 r-xp 00000000 00:41 62261158                          /usr/local/Zend/lib/Guard-5.5.0/php-5.3.x/ZendGuardLoader.so
    b6449000-b645b000 rw-p 000cd000 00:41 62261158                          /usr/local/Zend/lib/Guard-5.5.0/php-5.3.x/ZendGuardLoader.so
    b645b000-b645e000 rw-p 00000000 00:00 0
    b645e000-b6534000 r-xp 00000000 00:41 62261157                          /usr/local/IonCube/ioncube_loader_lin_5.3.so
    b6534000-b6537000 rw-p 000d6000 00:41 62261157                          /usr/local/IonCube/ioncube_loader_lin_5.3.so
    b6537000-b6561000 rw-p 00000000 00:00 0
    b659b000-b65a0000 r-xp 00000000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a0000-b65a1000 r--p 00004000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a1000-b65a2000 rw-p 00005000 00:41 59248279                          /lib/libnss_dns-2.12.so
    b65a2000-b65a6000 rw-p 00000000 00:00 0
    b65a6000-b65c3000 r-xp 00000000 00:41 59248311                          /lib/libselinux.so.1
    b65c3000-b65c4000 r--p 0001c000 00:41 59248311                          /lib/libselinux.so.1
    b65c4000-b65c5000 rw-p 0001d000 00:41 59248311                          /lib/libselinux.so.1
    b65c5000-b65c6000 rw-p 00000000 00:00 0
    b65c6000-b65c8000 r-xp 00000000 00:41 60692666                          /usr/lib/libXau.so.6.0.0
    b65c8000-b65c9000 rw-p 00001000 00:41 60692666                          /usr/lib/libXau.so.6.0.0
    b65c9000-b65e2000 r-xp 00000000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e2000-b65e3000 r--p 00018000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e3000-b65e4000 rw-p 00019000 00:41 60693061                          /usr/lib/libsasl2.so.2.0.23
    b65e4000-b661e000 r-xp 00000000 00:41 59248276                          /lib/libnspr4.so
    b661e000-b661f000 r--p 00039000 00:41 59248276                          /lib/libnspr4.so
    b661f000-b6620000 rw-p 0003a000 00:41 59248276                          /lib/libnspr4.so
    b6620000-b6622000 rw-p 00000000 00:00 0
    b6622000-b6626000 r-xp 00000000 00:41 59248297                          /lib/libplc4.so
    b6626000-b6627000 r--p 00003000 00:41 59248297                          /lib/libplc4.so
    b6627000-b6628000 rw-p 00004000 00:41 59248297                          /lib/libplc4.so
    b6628000-b662b000 r-xp 00000000 00:41 59248298                          /lib/libplds4.so
    b662b000-b662c000 r--p 00002000 00:41 59248298                          /lib/libplds4.so
    b662c000-b662d000 rw-p 00003000 00:41 59248298                          /lib/libplds4.so
    b662d000-b662e000 rw-p 00000000 00:00 0
    b662e000-b664f000 r-xp 00000000 00:41 60692992                          /usr/lib/libnssutil3.so
    b664f000-b6652000 r--p 00020000 00:41 60692992                          /usr/lib/libnssutil3.so
    b6652000-b6653000 rw-p 00023000 00:41 60692992                          /usr/lib/libnssutil3.so
    b6653000-b6789000 r-xp 00000000 00:41 60692980                          /usr/lib/libnss3.so
    b6789000-b678c000 r--p 00135000 00:41 60692980                          /usr/lib/libnss3.so
    b678c000-b678e000 rw-p 00138000 00:41 60692980                          /usr/lib/libnss3.so
    b678e000-b67b6000 r-xp 00000000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b6000-b67b8000 r--p 00027000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b8000-b67b9000 rw-p 00029000 00:41 60693066                          /usr/lib/libsmime3.so
    b67b9000-b67ed000 r-xp 00000000 00:41 60693076                          /usr/lib/libssl3.so
    b67ed000-b67ee000 r--p 00034000 00:41 60693076                          /usr/lib/libssl3.so
    b67ee000-b67ef000 rw-p 00035000 00:41 60693076                          /usr/lib/libssl3.so
    b67ef000-b67fc000 r-xp 00000000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fc000-b67fd000 r--p 0000d000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fd000-b67fe000 rw-p 0000e000 00:41 59248253                          /lib/liblber-2.4.so.2.5.6
    b67fe000-b67ff000 rw-p 00000000 00:00 0
    b67ff000-b6801000 r-xp 00000000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6801000-b6802000 r--p 00001000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6802000-b6803000 rw-p 00002000 00:41 59248247                          /lib/libkeyutils.so.1.3
    b6803000-b680d000 r-xp 00000000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680d000-b680e000 r--p 00009000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680e000-b680f000 rw-p 0000a000 00:41 59248251                          /lib/libkrb5support.so.0.1
    b680f000-b682e000 r-xp 00000000 00:41 60693188                          /usr/lib/libxcb.so.1.1.0
    b682e000-b682f000 rw-p 0001f000 00:41 60693188                          /usr/lib/libxcb.so.1.1.0
    b682f000-b6846000 r-xp 00000000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b6846000-b6847000 r--p 00016000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b6847000-b684c000 rw-p 00017000 00:41 59248166                          /lib/libaudit.so.1.0.0
    b684c000-b6863000 r-xp 00000000 00:41 59248303                          /lib/libpthread-2.12.so
    b6863000-b6864000 r--p 00016000 00:41 59248303                          /lib/libpthread-2.12.so
    b6864000-b6865000 rw-p 00017000 00:41 59248303                          /lib/libpthread-2.12.so
    b6865000-b6868000 rw-p 00000000 00:00 0
    b6868000-b68b7000 r-xp 00000000 00:41 59248203                          /lib/libfreebl3.so
    b68b7000-b68b8000 r--p 0004e000 00:41 59248203                          /lib/libfreebl3.so
    b68b8000-b68b9000 rw-p 0004f000 00:41 59248203                          /lib/libfreebl3.so
    b68b9000-b68bd000 rw-p 00000000 00:00 0
    b68bd000-b68d2000 r-xp 00000000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d2000-b68d3000 ---p 00015000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d3000-b68d4000 r--p 00015000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d4000-b68d5000 rw-p 00016000 00:41 59248307                          /lib/libresolv-2.12.so
    b68d5000-b68d7000 rw-p 00000000 00:00 0
    b68d7000-b6a67000 r-xp 00000000 00:41 59248173                          /lib/libc-2.12.so
    b6a67000-b6a68000 ---p 00190000 00:41 59248173                          /lib/libc-2.12.so
    b6a68000-b6a6a000 r--p 00190000 00:41 59248173                          /lib/libc-2.12.so
    b6a6a000-b6a6b000 rw-p 00192000 00:41 59248173                          /lib/libc-2.12.so
    b6a6b000-b6a6e000 rw-p 00000000 00:00 0
    b6a6e000-b6bd6000 r-xp 00000000 00:41 59515562                          /opt/xml2/lib/libxml2.so.2.9.0
    b6bd6000-b6bdb000 rw-p 00168000 00:41 59515562                          /opt/xml2/lib/libxml2.so.2.9.0
    b6bdb000-b6bdc000 rw-p 00000000 00:00 0
    b6bdc000-b6c1c000 r-xp 00000000 00:41 59515963                          /opt/xslt/lib/libxslt.so.1.1.27
    b6c1c000-b6c1d000 rw-p 00040000 00:41 59515963                          /opt/xslt/lib/libxslt.so.1.1.27
    b6c1d000-b6c69000 r-xp 00000000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c69000-b6c6a000 r--p 0004b000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c6a000-b6c6b000 rw-p 0004c000 00:41 59248255                          /lib/libldap-2.4.so.2.5.6
    b6c6b000-b6c6c000 rw-p 00000000 00:00 0
    b6c6c000-b6c9d000 r-xp 00000000 00:41 59248227                          /lib/libidn.so.11.6.1
    b6c9d000-b6c9e000 rw-p 00030000 00:41 59248227                          /lib/libidn.so.11.6.1
    b6c9e000-b6cf1000 r-xp 00000000 00:41 59377620                          /opt/curlssl/lib/libcurl.so.4.2.0
    b6cf1000-b6cf3000 rw-p 00052000 00:41 59377620                          /opt/curlssl/lib/libcurl.so.4.2.0
    b6cf3000-b6cf6000 r-xp 00000000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf6000-b6cf7000 r--p 00002000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf7000-b6cf8000 rw-p 00003000 00:41 59248182                          /lib/libcom_err.so.2.1
    b6cf8000-b6d20000 r-xp 00000000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d20000-b6d21000 r--p 00028000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d21000-b6d22000 rw-p 00029000 00:41 59248245                          /lib/libk5crypto.so.3.1
    b6d22000-b6d23000 rw-p 00000000 00:00 0
    b6d23000-b6df9000 r-xp 00000000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6df9000-b6dff000 r--p 000d5000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6dff000-b6e00000 rw-p 000db000 00:41 59248249                          /lib/libkrb5.so.3.3
    b6e00000-b6e01000 rw-p 00000000 00:00 0
    b6e01000-b6e3f000 r-xp 00000000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e3f000-b6e40000 r--p 0003e000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e40000-b6e41000 rw-p 0003f000 00:41 59248219                          /lib/libgssapi_krb5.so.2.2
    b6e41000-b6e58000 r-xp 00000000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e58000-b6e59000 r--p 00016000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e59000-b6e5a000 rw-p 00017000 00:41 59248274                          /lib/libnsl-2.12.so
    b6e5a000-b6e5c000 rw-p 00000000 00:00 0
    b6e5c000-b6ea0000 r-xp 00000000 00:41 59377729                          /opt/pcre/lib/libpcre.so.0.0.1
    b6ea0000-b6ea1000 rw-p 00043000 00:41 59377729                          /opt/pcre/lib/libpcre.so.0.0.1
    b6ea1000-b6ee7000 r-xp 00000000 00:41 60692912                          /usr/lib/libjpeg.so.62.0.0
    b6ee7000-b6ee8000 rw-p 00046000 00:41 60692912                          /usr/lib/libjpeg.so.62.0.0
    b6ee8000-b6ef8000 rw-p 00000000 00:00 0
    b6ef8000-b6f1f000 r-xp 00000000 00:41 60693034                          /usr/lib/libpng12.so.0.49.0
    b6f1f000-b6f20000 rw-p 00026000 00:41 60693034                          /usr/lib/libpng12.so.0.49.0
    b6f20000-b6f30000 r-xp 00000000 00:41 60692690                          /usr/lib/libXpm.so.4.11.0
    b6f30000-b6f31000 rw-p 00010000 00:41 60692690                          /usr/lib/libXpm.so.4.11.0
    b6f31000-b6f32000 rw-p 00000000 00:00 0
    b6f32000-b7067000 r-xp 00000000 00:41 60692663                          /usr/lib/libX11.so.6.3.0
    b7067000-b706b000 rw-p 00134000 00:41 60692663                          /usr/lib/libX11.so.6.3.0
    b706b000-b70ff000 r-xp 00000000 00:41 60692827                          /usr/lib/libfreetype.so.6.3.22
    b70ff000-b7103000 rw-p 00094000 00:41 60692827                          /usr/lib/libfreetype.so.6.3.22
    b7103000-b710f000 r-xp 00000000 00:41 59248290                          /lib/libpam.so.0.82.2
    b710f000-b7110000 r--p 0000b000 00:41 59248290                          /lib/libpam.so.0.82.2
    b7110000-b7111000 rw-p 0000c000 00:41 59248290                          /lib/libpam.so.0.82.2
    b7111000-b7165000 r-xp 00000000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b7165000-b7167000 r--p 00054000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b7167000-b716a000 rw-p 00056000 00:41 60693074                          /usr/lib/libssl.so.1.0.0
    b716a000-b72df000 r-xp 00000000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72df000-b72e0000 ---p 00175000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72e0000-b72ee000 r--p 00175000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72ee000-b72f4000 rw-p 00183000 00:41 60692759                          /usr/lib/libcrypto.so.1.0.0
    b72f4000-b72f8000 rw-p 00000000 00:00 0
    b72f8000-b7301000 r-xp 00000000 00:41 60692941                          /usr/lib/libltdl.so.7.2.1
    b7301000-b7302000 rw-p 00008000 00:41 60692941                          /usr/lib/libltdl.so.7.2.1
    b7302000-b732f000 r-xp 00000000 00:41 59377684                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b732f000-b7332000 rw-p 0002c000 00:41 59377684                          /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b7332000-b7338000 rw-p 00000000 00:00 0
    b7338000-b75ee000 r-xp 00000000 00:41 60692968                          /usr/lib/libmysqlclient.so.18.0.0
    b75ee000-b7667000 rw-p 002b5000 00:41 60692968                          /usr/lib/libmysqlclient.so.18.0.0
    b7667000-b766a000 rw-p 00000000 00:00 0
    b766a000-b7671000 r-xp 00000000 00:41 59248309                          /lib/librt-2.12.so
    b7671000-b7672000 r--p 00006000 00:41 59248309                          /lib/librt-2.12.so
    b7672000-b7673000 rw-p 00007000 00:41 59248309                          /lib/librt-2.12.so
    b7673000-b7676000 r-xp 00000000 00:41 59248192                          /lib/libdl-2.12.so
    b7676000-b7677000 r--p 00002000 00:41 59248192                          /lib/libdl-2.12.so
    b7677000-b7678000 rw-p 00003000 00:41 59248192                          /lib/libdl-2.12.so
    b7678000-b76a0000 r-xp 00000000 00:41 59248260                          /lib/libm-2.12.so
    b76a0000-b76a1000 r--p 00027000 00:41 59248260                          /lib/libm-2.12.so
    b76a1000-b76a2000 rw-p 00028000 00:41 59248260                          /lib/libm-2.12.so
    b76a2000-b76a3000 rw-p 00000000 00:00 0
    b76a3000-b76b6000 r-xp 00000000 00:41 59515958                          /opt/xslt/lib/libexslt.so.0.8.16
    b76b6000-b76b7000 rw-p 00012000 00:41 59515958                          /opt/xslt/lib/libexslt.so.0.8.16
    b76b7000-b76c9000 r-xp 00000000 00:41 59248334                          /lib/libz.so.1.2.3
    b76c9000-b76ca000 r--p 00011000 00:41 59248334                          /lib/libz.so.1.2.3
    b76ca000-b76cb000 rw-p 00012000 00:41 59248334                          /lib/libz.so.1.2.3
    b76cb000-b76d2000 r-xp 00000000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d2000-b76d3000 r--p 00007000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d3000-b76d4000 rw-p 00008000 00:41 59248183                          /lib/libcrypt-2.12.so
    b76d4000-b76fb000 rw-p 00000000 00:00 0
    b7703000-b7704000 rw-p 00000000 00:00 0
    b7704000-b7705000 r-xp 00000000 00:00 0                                  [vdso]
    b7705000-b7723000 r-xp 00000000 00:41 59248149                          /lib/ld-2.12.so
    b7723000-b7724000 r--p 0001d000 00:41 59248149                          /lib/ld-2.12.so
    b7724000-b7725000 rw-p 0001e000 00:41 59248149                          /lib/ld-2.12.so
    bf9cc000-bf9e0000 rwxp 00000000 00:00 0                                  [stack]
    bf9e0000-bf9e1000 rw-p 00000000 00:00 0 
    What does this mean? Someone please help.
     
  2. STS Admin

    STS Admin Well-Known Member

    Joined:
    Jul 8, 2012
    Messages:
    47
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi

    Your php handler is FCGI and CSF is installed on your server. FCGI process caches/remain in memory for faster execution and speed. LFD sent you warning because it was running from past 642 seconds. You can ignore it. You should white-list the process by adding the below lines to /etc/csf/csf.pignore and restart LFD.

    cmd:/usr/bin/php /home/<user>/public_html/<temp_dir>/administrator/index.php
     
  3. augustin

    augustin Registered

    Joined:
    Mar 22, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the quick reply. Added the ignore line.

    I was worried it might be an injected script on one of the extensions since I don't know where it pulled the IP 72.21.81.253. IP lookup points to some private sites.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page