lfd on xxx.xxx: Suspicious process running under user dbus

[tui]

Hello, all i know that LFD alerts are not from cPanel/Whm however i want to ask first here because this new (and strange) alert was caused after i run easyapache; I run easyapache in one of my servers and after it finished this LFD alert comes every hour:

Time:    Thu May 28 00:00:03 2015 -0500
PID:     2025 (Parent PID:2025)
Account: dbus
Uptime:  13438445 seconds


Executable:

(deleted)/bin/dbus-daemon

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

dbus-daemon --system


Network connections by the process (if any):



Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/dev/null
inotify


Memory maps by the process (if any):

7fbb3cbf4000-7fbb3cc00000 r-xp 00000000 fd:00 2229411                     (deleted)/lib64/libnss_files-2.12.so
7fbb3cc00000-7fbb3ce00000 ---p 0000c000 fd:00 2229411                     (deleted)/lib64/libnss_files-2.12.so
7fbb3ce00000-7fbb3ce01000 r--p 0000c000 fd:00 2229411                     (deleted)/lib64/libnss_files-2.12.so
7fbb3ce01000-7fbb3ce02000 rw-p 0000d000 fd:00 2229411                     (deleted)/lib64/libnss_files-2.12.so
7fbb3ce02000-7fbb3ce04000 r-xp 00000000 fd:00 2229403                     (deleted)/lib64/libdl-2.12.so
7fbb3ce04000-7fbb3d004000 ---p 00002000 fd:00 2229403                     (deleted)/lib64/libdl-2.12.so
7fbb3d004000-7fbb3d005000 r--p 00002000 fd:00 2229403                     (deleted)/lib64/libdl-2.12.so
7fbb3d005000-7fbb3d006000 rw-p 00003000 fd:00 2229403                     (deleted)/lib64/libdl-2.12.so
7fbb3d006000-7fbb3d190000 r-xp 00000000 fd:00 2228232                     (deleted)/lib64/libc-2.12.so
7fbb3d190000-7fbb3d390000 ---p 0018a000 fd:00 2228232                     (deleted)/lib64/libc-2.12.so
7fbb3d390000-7fbb3d394000 r--p 0018a000 fd:00 2228232                     (deleted)/lib64/libc-2.12.so
7fbb3d394000-7fbb3d395000 rw-p 0018e000 fd:00 2228232                     (deleted)/lib64/libc-2.12.so
7fbb3d395000-7fbb3d39a000 rw-p 00000000 00:00 0
7fbb3d39a000-7fbb3d3a1000 r-xp 00000000 fd:00 2229445                     (deleted)/lib64/librt-2.12.so
7fbb3d3a1000-7fbb3d5a0000 ---p 00007000 fd:00 2229445                     (deleted)/lib64/librt-2.12.so
7fbb3d5a0000-7fbb3d5a1000 r--p 00006000 fd:00 2229445                     (deleted)/lib64/librt-2.12.so
7fbb3d5a1000-7fbb3d5a2000 rw-p 00007000 fd:00 2229445                     (deleted)/lib64/librt-2.12.so
7fbb3d5a2000-7fbb3d5b9000 r-xp 00000000 fd:00 2228256                     (deleted)/lib64/libpthread-2.12.so
7fbb3d5b9000-7fbb3d7b9000 ---p 00017000 fd:00 2228256                     (deleted)/lib64/libpthread-2.12.so
7fbb3d7b9000-7fbb3d7ba000 r--p 00017000 fd:00 2228256                     (deleted)/lib64/libpthread-2.12.so
7fbb3d7ba000-7fbb3d7bb000 rw-p 00018000 fd:00 2228256                     (deleted)/lib64/libpthread-2.12.so
7fbb3d7bb000-7fbb3d7bf000 rw-p 00000000 00:00 0
7fbb3d7bf000-7fbb3d7c3000 r-xp 00000000 fd:00 2228334                    /lib64/libcap-ng.so.0.0.0
7fbb3d7c3000-7fbb3d9c2000 ---p 00004000 fd:00 2228334                    /lib64/libcap-ng.so.0.0.0
7fbb3d9c2000-7fbb3d9c3000 r--p 00003000 fd:00 2228334                    /lib64/libcap-ng.so.0.0.0
7fbb3d9c3000-7fbb3d9c4000 rw-p 00004000 fd:00 2228334                    /lib64/libcap-ng.so.0.0.0
7fbb3d9c4000-7fbb3d9db000 r-xp 00000000 fd:00 2229073                    /lib64/libaudit.so.1.0.0
7fbb3d9db000-7fbb3dbdb000 ---p 00017000 fd:00 2229073                    /lib64/libaudit.so.1.0.0
7fbb3dbdb000-7fbb3dbdc000 r--p 00017000 fd:00 2229073                    /lib64/libaudit.so.1.0.0
7fbb3dbdc000-7fbb3dbe7000 rw-p 00018000 fd:00 2229073                    /lib64/libaudit.so.1.0.0
7fbb3dbe7000-7fbb3dc04000 r-xp 00000000 fd:00 2229517                    /lib64/libselinux.so.1
7fbb3dc04000-7fbb3de03000 ---p 0001d000 fd:00 2229517                    /lib64/libselinux.so.1
7fbb3de03000-7fbb3de04000 r--p 0001c000 fd:00 2229517                    /lib64/libselinux.so.1
7fbb3de04000-7fbb3de05000 rw-p 0001d000 fd:00 2229517                    /lib64/libselinux.so.1
7fbb3de05000-7fbb3de06000 rw-p 00000000 00:00 0
7fbb3de06000-7fbb3de2c000 r-xp 00000000 fd:00 2228320                    /lib64/libexpat.so.1.5.2
7fbb3de2c000-7fbb3e02b000 ---p 00026000 fd:00 2228320                    /lib64/libexpat.so.1.5.2
7fbb3e02b000-7fbb3e02e000 rw-p 00025000 fd:00 2228320                    /lib64/libexpat.so.1.5.2
7fbb3e02e000-7fbb3e04e000 r-xp 00000000 fd:00 2228615                     (deleted)/lib64/ld-2.12.so
7fbb3e23d000-7fbb3e242000 rw-p 00000000 00:00 0
7fbb3e24c000-7fbb3e24d000 rw-p 00000000 00:00 0
7fbb3e24d000-7fbb3e24e000 r--p 0001f000 fd:00 2228615                     (deleted)/lib64/ld-2.12.so
7fbb3e24e000-7fbb3e24f000 rw-p 00020000 fd:00 2228615                     (deleted)/lib64/ld-2.12.so
7fbb3e24f000-7fbb3e250000 rw-p 00000000 00:00 0
7fbb3e250000-7fbb3e2a1000 r-xp 00000000 fd:00 393227                      (deleted)/bin/dbus-daemon
7fbb3e4a1000-7fbb3e4a2000 r--p 00051000 fd:00 393227                      (deleted)/bin/dbus-daemon
7fbb3e4a2000-7fbb3e4a3000 rw-p 00052000 fd:00 393227                      (deleted)/bin/dbus-daemon
7fbb3ec42000-7fbb3ec63000 rw-p 00000000 00:00 0                          [heap]
7fff104a0000-7fff104b5000 rw-p 00000000 00:00 0                          [stack]
7fff10583000-7fff10585000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

However my pignore file is same on all servers and there are this lines (by default) on it:

exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1

Where does this alerts comes? Why it comes if dbus-daemon is on pignore? Why after i ran easyapache?

I have this version: CLOUDLINUX 6.6 x86_64 kvm – XXXXX WHM 11.48.4 (build 4)

 

[Infopro]

Hello, all i know that LFD alerts are not from cPanel/Whm however i want to ask first here because...

The answer is still found in your own settings, and on the CSF forums.

PT_DELETED

lfd will report processes, even if they're listed in csf.pignore, if they're
tagged as (deleted) by Linux. This information is provided in Linux under
/proc/PID/exe. A (deleted) process is one that is running a binary that has
the inode for the file removed from the file system directory. This usually
happens when the binary has been replaced due to an upgrade for it by the OS
vendor or another third party (e.g. cPanel). You need to investigate whether
this is indeed the case to be sure that the original binary has not been
replaced by a rootkit or is running an exploit.

Note: If a deleted executable process is detected and reported then lfd will
not report children of the parent (or the parent itself if a child triggered
the report) if the parent is also a deleted executable process

To stop lfd reporting such process you need to restart the daemon to which it
belongs and therefore run the process using the replacement binary (presuming
one exists). This will normally mean running the associated startup script in
/etc/init.d/

If you do want lfd to report deleted binary processes, set to 1