lfd on x.x.x Suspicious process running under user news

sassou2009

Active Member
May 25, 2009
28
0
51
i received more than 3000 messages from lfd, but i don't know the origin of the problem

Code:
Time:    Mon Apr 11 06:23:27 2011 -0400
PID:     13506
Account: news
Uptime:  78 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):

tcp: (myserverip):46456 -> 67.212.77.13:80


Files open by the process (if any):



Memory maps by the process (if any):

00110000-001f0000 r-xp 00000000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
001f0000-001f4000 r--p 000df000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
001f4000-001f5000 rw-p 000e3000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
001f5000-001fb000 rw-p 001f5000 00:00 0 
001fb000-00325000 r-xp 00000000 fd:00 116393286  /lib/libcrypto.so.0.9.8e
00325000-00338000 rw-p 00129000 fd:00 116393286  /lib/libcrypto.so.0.9.8e
00338000-0033c000 rw-p 00338000 00:00 0 
0033c000-0036e000 r-xp 00000000 fd:00 2228228    /opt/pcre/lib/libpcre.so.0.0.1
0036e000-0036f000 rw-p 00031000 fd:00 2228228    /opt/pcre/lib/libpcre.so.0.0.1
0036f000-00377000 r-xp 00000000 fd:00 85821931   /usr/lib/libkrb5support.so.0.1
00377000-00378000 rw-p 00007000 fd:00 85821931   /usr/lib/libkrb5support.so.0.1
00378000-00379000 r-xp 00000000 fd:00 85919411   /usr/lib/gconv/ISO8859-1.so
00379000-0037b000 rw-p 00000000 fd:00 85919411   /usr/lib/gconv/ISO8859-1.so
0037b000-0037f000 r-xp 00000000 fd:00 116391972  /lib/libnss_dns-2.5.so
0037f000-00380000 r--p 00003000 fd:00 116391972  /lib/libnss_dns-2.5.so
00380000-00381000 rw-p 00004000 fd:00 116391972  /lib/libnss_dns-2.5.so
00394000-00395000 r-xp 00394000 00:00 0          [vdso]
00395000-003bb000 r-xp 00000000 fd:00 85831625   /usr/lib/libk5crypto.so.3.1
003bb000-003bc000 rw-p 00025000 fd:00 85831625   /usr/lib/libk5crypto.so.3.1
0041e000-00462000 r-xp 00000000 fd:00 116393287  /lib/libssl.so.0.9.8e
00462000-00466000 rw-p 00043000 fd:00 116393287  /lib/libssl.so.0.9.8e
00468000-00594000 r-xp 00000000 fd:00 85829664   /usr/lib/libmysqlclient.so.15.0.0
00594000-005c3000 rw-p 0012c000 fd:00 85829664   /usr/lib/libmysqlclient.so.15.0.0
005c3000-005c4000 rw-p 005c3000 00:00 0 
005c4000-00658000 r-xp 00000000 fd:00 85829146   /usr/lib/libkrb5.so.3.3
00658000-0065b000 rw-p 00093000 fd:00 85829146   /usr/lib/libkrb5.so.3.3
0065b000-00774000 r-xp 00000000 fd:00 2228573    /opt/xml2/lib/libxml2.so.2.7.8
00774000-00779000 rw-p 00119000 fd:00 2228573    /opt/xml2/lib/libxml2.so.2.7.8
00779000-0077a000 rw-p 00779000 00:00 0 
007a6000-007c1000 r-xp 00000000 fd:00 116392130  /lib/ld-2.5.so
007c1000-007c2000 r--p 0001a000 fd:00 116392130  /lib/ld-2.5.so
007c2000-007c3000 rw-p 0001b000 fd:00 116392130  /lib/ld-2.5.so
007c5000-00918000 r-xp 00000000 fd:00 116392134  /lib/libc-2.5.so
00918000-0091a000 r--p 00153000 fd:00 116392134  /lib/libc-2.5.so
0091a000-0091b000 rw-p 00155000 fd:00 116392134  /lib/libc-2.5.so
0091b000-0091e000 rw-p 0091b000 00:00 0 
00920000-00923000 r-xp 00000000 fd:00 116392805  /lib/libdl-2.5.so
00923000-00924000 r--p 00002000 fd:00 116392805  /lib/libdl-2.5.so
00924000-00925000 rw-p 00003000 fd:00 116392805  /lib/libdl-2.5.so
00927000-0093c000 r-xp 00000000 fd:00 116392809  /lib/libpthread-2.5.so
0093c000-0093d000 r--p 00015000 fd:00 116392809  /lib/libpthread-2.5.so
0093d000-0093e000 rw-p 00016000 fd:00 116392809  /lib/libpthread-2.5.so
0093e000-00940000 rw-p 0093e000 00:00 0 
00942000-00969000 r-xp 00000000 fd:00 116392220  /lib/libm-2.5.so
00969000-0096a000 r--p 00026000 fd:00 116392220  /lib/libm-2.5.so
0096a000-0096b000 rw-p 00027000 fd:00 116392220  /lib/libm-2.5.so
0096d000-0097f000 r-xp 00000000 fd:00 85828705   /usr/lib/libz.so.1.2.3
0097f000-00980000 rw-p 00011000 fd:00 85828705   /usr/lib/libz.so.1.2.3
00982000-00989000 r-xp 00000000 fd:00 116392810  /lib/librt-2.5.so
00989000-0098a000 r--p 00007000 fd:00 116392810  /lib/librt-2.5.so
0098a000-0098b000 rw-p 00008000 fd:00 116392810  /lib/librt-2.5.so
0098d000-009c8000 r-xp 00000000 fd:00 116393265  /lib/libsepol.so.1
009c8000-009c9000 rw-p 0003b000 fd:00 116393265  /lib/libsepol.so.1
009c9000-009d3000 rw-p 009c9000 00:00 0 
009d5000-009eb000 r-xp 00000000 fd:00 116393266  /lib/libselinux.so.1
009eb000-009ed000 rw-p 00015000 fd:00 116393266  /lib/libselinux.so.1
009ef000-00a04000 r-xp 00000000 fd:00 116392811  /lib/libnsl-2.5.so
00a04000-00a05000 r--p 00014000 fd:00 116392811  /lib/libnsl-2.5.so
00a05000-00a06000 rw-p 00015000 fd:00 116392811  /lib/libnsl-2.5.so
00a06000-00a08000 rw-p 00a06000 00:00 0 
00a0a000-00a13000 r-xp 00000000 fd:00 116392816  /lib/libcrypt-2.5.so
00a13000-00a14000 r--p 00008000 fd:00 116392816  /lib/libcrypt-2.5.so
00a14000-00a15000 rw-p 00009000 fd:00 116392816  /lib/libcrypt-2.5.so
00a15000-00a3c000 rw-p 00a15000 00:00 0 
00a3e000-00a49000 r-xp 00000000 fd:00 116392222  /lib/libgcc_s-4.1.2-20080825.so.1
00a49000-00a4a000 rw-p 0000a000 fd:00 116392222  /lib/libgcc_s-4.1.2-20080825.so.1
00a4c000-00a5c000 r-xp 00000000 fd:00 85830012   /usr/lib/libXpm.so.4.11.0
00a5c000-00a5d000 rw-p 00010000 fd:00 85830012   /usr/lib/libXpm.so.4.11.0
00a5f000-00a8f000 r-xp 00000000 fd:00 85829571   /usr/lib/libidn.so.11.5.19
00a8f000-00a90000 rw-p 0002f000 fd:00 85829571   /usr/lib/libidn.so.11.5.19
00acb000-00ad5000 r-xp 00000000 fd:00 116391986  /lib/libnss_files-2.5.so
00ad5000-00ad6000 r--p 00009000 fd:00 116391986  /lib/libnss_files-2.5.so
00ad6000-00ad7000 rw-p 0000a000 fd:00 116391986  /lib/libnss_files-2.5.so
00ba1000-00bc2000 r-xp 00000000 fd:00 85827642   /usr/lib/libjpeg.so.62.0.0
00bc2000-00bc3000 rw-p 00020000 fd:00 85827642   /usr/lib/libjpeg.so.62.0.0
00c19000-00c1e000 r-xp 00000000 fd:00 85825652   /usr/lib/libXdmcp.so.6.0.0
00c1e000-00c1f000 rw-p 00004000 fd:00 85825652   /usr/lib/libXdmcp.so.6.0.0
00c21000-00c23000 r-xp 00000000 fd:00 85821926   /usr/lib/libXau.so.6.0.0
00c23000-00c24000 rw-p 00001000 fd:00 85821926   /usr/lib/libXau.so.6.0.0
00c26000-00c53000 r-xp 00000000 fd:00 85831632   /usr/lib/libgssapi_krb5.so.2.2
00c53000-00c54000 rw-p 0002d000 fd:00 85831632   /usr/lib/libgssapi_krb5.so.2.2
00c56000-00c7b000 r-xp 00000000 fd:00 85829142   /usr/lib/libpng12.so.0.10.0
00c7b000-00c7c000 rw-p 00024000 fd:00 85829142   /usr/lib/libpng12.so.0.10.0
00c83000-00c9a000 r-xp 00000000 fd:00 116393269  /lib/libaudit.so.0.0.0
00c9a000-00c9c000 rw-p 00016000 fd:00 116393269  /lib/libaudit.so.0.0.0
00c9e000-00ca8000 r-xp 00000000 fd:00 116393273  /lib/libpam.so.0.81.5
00ca8000-00ca9000 rw-p 0000a000 fd:00 116393273  /lib/libpam.so.0.81.5
00cc4000-00cd4000 r-xp 00000000 fd:00 116392815  /lib/libresolv-2.5.so
00cd4000-00cd5000 r--p 0000f000 fd:00 116392815  /lib/libresolv-2.5.so
00cd5000-00cd6000 rw-p 00010000 fd:00 116392815  /lib/libresolv-2.5.so
00cd6000-00cd8000 rw-p 00cd6000 00:00 0 
00cda000-00cdc000 r-xp 00000000 fd:00 116393280  /lib/libkeyutils-1.2.so
00cdc000-00cdd000 rw-p 00001000 fd:00 116393280  /lib/libkeyutils-1.2.so
00cdf000-00ce1000 r-xp 00000000 fd:00 116393285  /lib/libcom_err.so.2.1
00ce1000-00ce2000 rw-p 00001000 fd:00 116393285  /lib/libcom_err.so.2.1
00ce9000-00de8000 r-xp 00000000 fd:00 85828876   /usr/lib/libX11.so.6.2.0
00de8000-00dec000 rw-p 000ff000 fd:00 85828876   /usr/lib/libX11.so.6.2.0
00e9e000-00ee9000 r-xp 00000000 fd:00 2228361    /opt/curlssl/lib/libcurl.so.4.2.0
00ee9000-00eeb000 rw-p 0004b000 fd:00 2228361    /opt/curlssl/lib/libcurl.so.4.2.0
08048000-08486000 r-xp 00000000 fd:00 85829876   /usr/bin/php
08486000-084b0000 rw-p 0043d000 fd:00 85829876   /usr/bin/php
084b0000-084ba000 rw-p 084b0000 00:00 0 
0870d000-099cb000 rw-p 0870d000 00:00 0          [heap]
b76c1000-b7742000 rw-p b76c1000 00:00 0 
b7742000-b7883000 rw-p b7883000 00:00 0 
b7883000-b7a87000 rw-p b7883000 00:00 0 
b7a87000-b7a8e000 r--s 00000000 fd:00 85919485   /usr/lib/gconv/gconv-modules.cache
b7a8e000-b7a8f000 r--p 0146a000 fd:00 85830195   /usr/lib/locale/locale-archive
b7a8f000-b7ac9000 r--p 013e9000 fd:00 85830195   /usr/lib/locale/locale-archive
b7ac9000-b7cc9000 r--p 00000000 fd:00 85830195   /usr/lib/locale/locale-archive
b7cc9000-b7fd7000 rw-p b7cc9000 00:00 0 
b7fe0000-b7fe1000 rw-p b7fe0000 00:00 0 
bfbd3000-bfbe8000 rw-p bffe9000 00:00 0          [stack]
please help:confused:
 

flashweb

Well-Known Member
Mar 13, 2003
255
2
168
cPanel Access Level
Root Administrator
This is because some php script running on your server connect to port 80 of a remote server. You can ignore this message. If you don't want to get more messages like this, edit

Code:
/etc/csf/csf.pignore
Add

Code:
exe:/usr/bin/php
restart csf