The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on x.x.x Suspicious process running under user news

Discussion in 'General Discussion' started by sassou2009, Apr 12, 2011.

  1. sassou2009

    sassou2009 Active Member

    Joined:
    May 25, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    i received more than 3000 messages from lfd, but i don't know the origin of the problem

    Code:
    Time:    Mon Apr 11 06:23:27 2011 -0400
    PID:     13506
    Account: news
    Uptime:  78 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php
    
    
    Network connections by the process (if any):
    
    tcp: (myserverip):46456 -> 67.212.77.13:80
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00110000-001f0000 r-xp 00000000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
    001f0000-001f4000 r--p 000df000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
    001f4000-001f5000 rw-p 000e3000 fd:00 85821936   /usr/lib/libstdc++.so.6.0.8
    001f5000-001fb000 rw-p 001f5000 00:00 0 
    001fb000-00325000 r-xp 00000000 fd:00 116393286  /lib/libcrypto.so.0.9.8e
    00325000-00338000 rw-p 00129000 fd:00 116393286  /lib/libcrypto.so.0.9.8e
    00338000-0033c000 rw-p 00338000 00:00 0 
    0033c000-0036e000 r-xp 00000000 fd:00 2228228    /opt/pcre/lib/libpcre.so.0.0.1
    0036e000-0036f000 rw-p 00031000 fd:00 2228228    /opt/pcre/lib/libpcre.so.0.0.1
    0036f000-00377000 r-xp 00000000 fd:00 85821931   /usr/lib/libkrb5support.so.0.1
    00377000-00378000 rw-p 00007000 fd:00 85821931   /usr/lib/libkrb5support.so.0.1
    00378000-00379000 r-xp 00000000 fd:00 85919411   /usr/lib/gconv/ISO8859-1.so
    00379000-0037b000 rw-p 00000000 fd:00 85919411   /usr/lib/gconv/ISO8859-1.so
    0037b000-0037f000 r-xp 00000000 fd:00 116391972  /lib/libnss_dns-2.5.so
    0037f000-00380000 r--p 00003000 fd:00 116391972  /lib/libnss_dns-2.5.so
    00380000-00381000 rw-p 00004000 fd:00 116391972  /lib/libnss_dns-2.5.so
    00394000-00395000 r-xp 00394000 00:00 0          [vdso]
    00395000-003bb000 r-xp 00000000 fd:00 85831625   /usr/lib/libk5crypto.so.3.1
    003bb000-003bc000 rw-p 00025000 fd:00 85831625   /usr/lib/libk5crypto.so.3.1
    0041e000-00462000 r-xp 00000000 fd:00 116393287  /lib/libssl.so.0.9.8e
    00462000-00466000 rw-p 00043000 fd:00 116393287  /lib/libssl.so.0.9.8e
    00468000-00594000 r-xp 00000000 fd:00 85829664   /usr/lib/libmysqlclient.so.15.0.0
    00594000-005c3000 rw-p 0012c000 fd:00 85829664   /usr/lib/libmysqlclient.so.15.0.0
    005c3000-005c4000 rw-p 005c3000 00:00 0 
    005c4000-00658000 r-xp 00000000 fd:00 85829146   /usr/lib/libkrb5.so.3.3
    00658000-0065b000 rw-p 00093000 fd:00 85829146   /usr/lib/libkrb5.so.3.3
    0065b000-00774000 r-xp 00000000 fd:00 2228573    /opt/xml2/lib/libxml2.so.2.7.8
    00774000-00779000 rw-p 00119000 fd:00 2228573    /opt/xml2/lib/libxml2.so.2.7.8
    00779000-0077a000 rw-p 00779000 00:00 0 
    007a6000-007c1000 r-xp 00000000 fd:00 116392130  /lib/ld-2.5.so
    007c1000-007c2000 r--p 0001a000 fd:00 116392130  /lib/ld-2.5.so
    007c2000-007c3000 rw-p 0001b000 fd:00 116392130  /lib/ld-2.5.so
    007c5000-00918000 r-xp 00000000 fd:00 116392134  /lib/libc-2.5.so
    00918000-0091a000 r--p 00153000 fd:00 116392134  /lib/libc-2.5.so
    0091a000-0091b000 rw-p 00155000 fd:00 116392134  /lib/libc-2.5.so
    0091b000-0091e000 rw-p 0091b000 00:00 0 
    00920000-00923000 r-xp 00000000 fd:00 116392805  /lib/libdl-2.5.so
    00923000-00924000 r--p 00002000 fd:00 116392805  /lib/libdl-2.5.so
    00924000-00925000 rw-p 00003000 fd:00 116392805  /lib/libdl-2.5.so
    00927000-0093c000 r-xp 00000000 fd:00 116392809  /lib/libpthread-2.5.so
    0093c000-0093d000 r--p 00015000 fd:00 116392809  /lib/libpthread-2.5.so
    0093d000-0093e000 rw-p 00016000 fd:00 116392809  /lib/libpthread-2.5.so
    0093e000-00940000 rw-p 0093e000 00:00 0 
    00942000-00969000 r-xp 00000000 fd:00 116392220  /lib/libm-2.5.so
    00969000-0096a000 r--p 00026000 fd:00 116392220  /lib/libm-2.5.so
    0096a000-0096b000 rw-p 00027000 fd:00 116392220  /lib/libm-2.5.so
    0096d000-0097f000 r-xp 00000000 fd:00 85828705   /usr/lib/libz.so.1.2.3
    0097f000-00980000 rw-p 00011000 fd:00 85828705   /usr/lib/libz.so.1.2.3
    00982000-00989000 r-xp 00000000 fd:00 116392810  /lib/librt-2.5.so
    00989000-0098a000 r--p 00007000 fd:00 116392810  /lib/librt-2.5.so
    0098a000-0098b000 rw-p 00008000 fd:00 116392810  /lib/librt-2.5.so
    0098d000-009c8000 r-xp 00000000 fd:00 116393265  /lib/libsepol.so.1
    009c8000-009c9000 rw-p 0003b000 fd:00 116393265  /lib/libsepol.so.1
    009c9000-009d3000 rw-p 009c9000 00:00 0 
    009d5000-009eb000 r-xp 00000000 fd:00 116393266  /lib/libselinux.so.1
    009eb000-009ed000 rw-p 00015000 fd:00 116393266  /lib/libselinux.so.1
    009ef000-00a04000 r-xp 00000000 fd:00 116392811  /lib/libnsl-2.5.so
    00a04000-00a05000 r--p 00014000 fd:00 116392811  /lib/libnsl-2.5.so
    00a05000-00a06000 rw-p 00015000 fd:00 116392811  /lib/libnsl-2.5.so
    00a06000-00a08000 rw-p 00a06000 00:00 0 
    00a0a000-00a13000 r-xp 00000000 fd:00 116392816  /lib/libcrypt-2.5.so
    00a13000-00a14000 r--p 00008000 fd:00 116392816  /lib/libcrypt-2.5.so
    00a14000-00a15000 rw-p 00009000 fd:00 116392816  /lib/libcrypt-2.5.so
    00a15000-00a3c000 rw-p 00a15000 00:00 0 
    00a3e000-00a49000 r-xp 00000000 fd:00 116392222  /lib/libgcc_s-4.1.2-20080825.so.1
    00a49000-00a4a000 rw-p 0000a000 fd:00 116392222  /lib/libgcc_s-4.1.2-20080825.so.1
    00a4c000-00a5c000 r-xp 00000000 fd:00 85830012   /usr/lib/libXpm.so.4.11.0
    00a5c000-00a5d000 rw-p 00010000 fd:00 85830012   /usr/lib/libXpm.so.4.11.0
    00a5f000-00a8f000 r-xp 00000000 fd:00 85829571   /usr/lib/libidn.so.11.5.19
    00a8f000-00a90000 rw-p 0002f000 fd:00 85829571   /usr/lib/libidn.so.11.5.19
    00acb000-00ad5000 r-xp 00000000 fd:00 116391986  /lib/libnss_files-2.5.so
    00ad5000-00ad6000 r--p 00009000 fd:00 116391986  /lib/libnss_files-2.5.so
    00ad6000-00ad7000 rw-p 0000a000 fd:00 116391986  /lib/libnss_files-2.5.so
    00ba1000-00bc2000 r-xp 00000000 fd:00 85827642   /usr/lib/libjpeg.so.62.0.0
    00bc2000-00bc3000 rw-p 00020000 fd:00 85827642   /usr/lib/libjpeg.so.62.0.0
    00c19000-00c1e000 r-xp 00000000 fd:00 85825652   /usr/lib/libXdmcp.so.6.0.0
    00c1e000-00c1f000 rw-p 00004000 fd:00 85825652   /usr/lib/libXdmcp.so.6.0.0
    00c21000-00c23000 r-xp 00000000 fd:00 85821926   /usr/lib/libXau.so.6.0.0
    00c23000-00c24000 rw-p 00001000 fd:00 85821926   /usr/lib/libXau.so.6.0.0
    00c26000-00c53000 r-xp 00000000 fd:00 85831632   /usr/lib/libgssapi_krb5.so.2.2
    00c53000-00c54000 rw-p 0002d000 fd:00 85831632   /usr/lib/libgssapi_krb5.so.2.2
    00c56000-00c7b000 r-xp 00000000 fd:00 85829142   /usr/lib/libpng12.so.0.10.0
    00c7b000-00c7c000 rw-p 00024000 fd:00 85829142   /usr/lib/libpng12.so.0.10.0
    00c83000-00c9a000 r-xp 00000000 fd:00 116393269  /lib/libaudit.so.0.0.0
    00c9a000-00c9c000 rw-p 00016000 fd:00 116393269  /lib/libaudit.so.0.0.0
    00c9e000-00ca8000 r-xp 00000000 fd:00 116393273  /lib/libpam.so.0.81.5
    00ca8000-00ca9000 rw-p 0000a000 fd:00 116393273  /lib/libpam.so.0.81.5
    00cc4000-00cd4000 r-xp 00000000 fd:00 116392815  /lib/libresolv-2.5.so
    00cd4000-00cd5000 r--p 0000f000 fd:00 116392815  /lib/libresolv-2.5.so
    00cd5000-00cd6000 rw-p 00010000 fd:00 116392815  /lib/libresolv-2.5.so
    00cd6000-00cd8000 rw-p 00cd6000 00:00 0 
    00cda000-00cdc000 r-xp 00000000 fd:00 116393280  /lib/libkeyutils-1.2.so
    00cdc000-00cdd000 rw-p 00001000 fd:00 116393280  /lib/libkeyutils-1.2.so
    00cdf000-00ce1000 r-xp 00000000 fd:00 116393285  /lib/libcom_err.so.2.1
    00ce1000-00ce2000 rw-p 00001000 fd:00 116393285  /lib/libcom_err.so.2.1
    00ce9000-00de8000 r-xp 00000000 fd:00 85828876   /usr/lib/libX11.so.6.2.0
    00de8000-00dec000 rw-p 000ff000 fd:00 85828876   /usr/lib/libX11.so.6.2.0
    00e9e000-00ee9000 r-xp 00000000 fd:00 2228361    /opt/curlssl/lib/libcurl.so.4.2.0
    00ee9000-00eeb000 rw-p 0004b000 fd:00 2228361    /opt/curlssl/lib/libcurl.so.4.2.0
    08048000-08486000 r-xp 00000000 fd:00 85829876   /usr/bin/php
    08486000-084b0000 rw-p 0043d000 fd:00 85829876   /usr/bin/php
    084b0000-084ba000 rw-p 084b0000 00:00 0 
    0870d000-099cb000 rw-p 0870d000 00:00 0          [heap]
    b76c1000-b7742000 rw-p b76c1000 00:00 0 
    b7742000-b7883000 rw-p b7883000 00:00 0 
    b7883000-b7a87000 rw-p b7883000 00:00 0 
    b7a87000-b7a8e000 r--s 00000000 fd:00 85919485   /usr/lib/gconv/gconv-modules.cache
    b7a8e000-b7a8f000 r--p 0146a000 fd:00 85830195   /usr/lib/locale/locale-archive
    b7a8f000-b7ac9000 r--p 013e9000 fd:00 85830195   /usr/lib/locale/locale-archive
    b7ac9000-b7cc9000 r--p 00000000 fd:00 85830195   /usr/lib/locale/locale-archive
    b7cc9000-b7fd7000 rw-p b7cc9000 00:00 0 
    b7fe0000-b7fe1000 rw-p b7fe0000 00:00 0 
    bfbd3000-bfbe8000 rw-p bffe9000 00:00 0          [stack]
    
    please help:confused:
     
  2. flashweb

    flashweb Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    243
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This is because some php script running on your server connect to port 80 of a remote server. You can ignore this message. If you don't want to get more messages like this, edit

    Code:
    /etc/csf/csf.pignore
    Add

    Code:
    exe:/usr/bin/php
    restart csf
     
Loading...

Share This Page