lfd on XXXX: Suspicious process running under user nobody

LeGastronome

Active Member
Oct 21, 2010
35
1
58
Hi,

Impossible to catch this process.. do you have an idea ?

Code:
Mon Aug 19 21:46:36 2013 +0100
PID:     2281 (Parent PID:2164)
Account: nobody
Uptime:  68 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):




Network connections by the process (if any):

tcp: XXX -> XXX


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/tmp/sess_799eceeaffd6dac17278bcee43e804b2


Memory maps by the process (if any):
etc...
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
It might be helpful to tell us a bit more about your environment - i.e. how apache is configured, do you have mod security, CXS etc? CXS may or may not help you as it's ability to quarantine a copy of the file will depend on whether it can detect the file full stop and whether it can detect it via the upload / creation method in use.

How is your /tmp partition or file mounted? It is worth having it setup the securetmp way (i.e. with nosuid/noexec) although as you might be seeing this won't stop the execution of scripts via interpreters
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363

LeGastronome

Active Member
Oct 21, 2010
35
1
58
Yes ok but the line with IP adress :

tcp: XXX -> XXX

IP don't seem to be clear.. it's weird IP from russia or china...

No mod security or CXS installed
/tmp is a directory

it seems that someone launch some program in perl, but no idea how to catch it