Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd on XXXX: Suspicious process running under user nobody

Discussion in 'General Discussion' started by LeGastronome, Aug 19, 2013.

  1. LeGastronome

    LeGastronome Active Member

    Joined:
    Oct 21, 2010
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    58
    Hi,

    Impossible to catch this process.. do you have an idea ?

    Code:
    Mon Aug 19 21:46:36 2013 +0100
    PID:     2281 (Parent PID:2164)
    Account: nobody
    Uptime:  68 seconds
    
    
    Executable:
    
    /usr/bin/perl
    
    
    Command Line (often faked in exploits):
    
    
    
    
    Network connections by the process (if any):
    
    tcp: XXX -> XXX
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /tmp/sess_799eceeaffd6dac17278bcee43e804b2
    
    
    Memory maps by the process (if any):
    etc...
    
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It might be helpful to tell us a bit more about your environment - i.e. how apache is configured, do you have mod security, CXS etc? CXS may or may not help you as it's ability to quarantine a copy of the file will depend on whether it can detect the file full stop and whether it can detect it via the upload / creation method in use.

    How is your /tmp partition or file mounted? It is worth having it setup the securetmp way (i.e. with nosuid/noexec) although as you might be seeing this won't stop the execution of scripts via interpreters
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. LeGastronome

    LeGastronome Active Member

    Joined:
    Oct 21, 2010
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    58
    Yes ok but the line with IP adress :

    tcp: XXX -> XXX

    IP don't seem to be clear.. it's weird IP from russia or china...

    No mod security or CXS installed
    /tmp is a directory

    it seems that someone launch some program in perl, but no idea how to catch it
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice