lfd on XXXX: Suspicious process running under user nobody

LeGastronome

Active Member
Oct 21, 2010
35
1
58
Hi,

Impossible to catch this process.. do you have an idea ?

Code:
Mon Aug 19 21:46:36 2013 +0100
PID:     2281 (Parent PID:2164)
Account: nobody
Uptime:  68 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):




Network connections by the process (if any):

tcp: XXX -> XXX


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/tmp/sess_799eceeaffd6dac17278bcee43e804b2


Memory maps by the process (if any):
etc...
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
It might be helpful to tell us a bit more about your environment - i.e. how apache is configured, do you have mod security, CXS etc? CXS may or may not help you as it's ability to quarantine a copy of the file will depend on whether it can detect the file full stop and whether it can detect it via the upload / creation method in use.

How is your /tmp partition or file mounted? It is worth having it setup the securetmp way (i.e. with nosuid/noexec) although as you might be seeing this won't stop the execution of scripts via interpreters
 

LeGastronome

Active Member
Oct 21, 2010
35
1
58
Yes ok but the line with IP adress :

tcp: XXX -> XXX

IP don't seem to be clear.. it's weird IP from russia or china...

No mod security or CXS installed
/tmp is a directory

it seems that someone launch some program in perl, but no idea how to catch it