The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on XXXX: Suspicious process running under user nobody

Discussion in 'General Discussion' started by LeGastronome, Aug 19, 2013.

  1. LeGastronome

    LeGastronome Member

    Joined:
    Oct 21, 2010
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Impossible to catch this process.. do you have an idea ?

    Code:
    Mon Aug 19 21:46:36 2013 +0100
    PID:     2281 (Parent PID:2164)
    Account: nobody
    Uptime:  68 seconds
    
    
    Executable:
    
    /usr/bin/perl
    
    
    Command Line (often faked in exploits):
    
    
    
    
    Network connections by the process (if any):
    
    tcp: XXX -> XXX
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /tmp/sess_799eceeaffd6dac17278bcee43e804b2
    
    
    Memory maps by the process (if any):
    etc...
    
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    It might be helpful to tell us a bit more about your environment - i.e. how apache is configured, do you have mod security, CXS etc? CXS may or may not help you as it's ability to quarantine a copy of the file will depend on whether it can detect the file full stop and whether it can detect it via the upload / creation method in use.

    How is your /tmp partition or file mounted? It is worth having it setup the securetmp way (i.e. with nosuid/noexec) although as you might be seeing this won't stop the execution of scripts via interpreters
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  4. LeGastronome

    LeGastronome Member

    Joined:
    Oct 21, 2010
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Yes ok but the line with IP adress :

    tcp: XXX -> XXX

    IP don't seem to be clear.. it's weird IP from russia or china...

    No mod security or CXS installed
    /tmp is a directory

    it seems that someone launch some program in perl, but no idea how to catch it
     
Loading...

Share This Page