lfd on XXXX: Suspicious process running under user nobody

[LeGastronome]

Hi,

Impossible to catch this process.. do you have an idea ?

Mon Aug 19 21:46:36 2013 +0100
PID:     2281 (Parent PID:2164)
Account: nobody
Uptime:  68 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):




Network connections by the process (if any):

tcp: XXX -> XXX


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/tmp/sess_799eceeaffd6dac17278bcee43e804b2


Memory maps by the process (if any):
etc...

 

[ThinIce]

It might be helpful to tell us a bit more about your environment - i.e. how apache is configured, do you have mod security, CXS etc? CXS may or may not help you as it's ability to quarantine a copy of the file will depend on whether it can detect the file full stop and whether it can detect it via the upload / creation method in use.

How is your /tmp partition or file mounted? It is worth having it setup the securetmp way (i.e. with nosuid/noexec) although as you might be seeing this won't stop the execution of scripts via interpreters

 

[cPanelMichael]

Hello

It's possible this is simply a false positive generated by LFD. There are several threads about this type of message on their forums. EX:

ConfigServer Scripts Community Forum View topic - lfd: Suspicious process running under user xxxxx

You may want to check on their forums for more specific information about this notice.

Thank you.

 

[LeGastronome]

Yes ok but the line with IP adress :

tcp: XXX -> XXX

IP don't seem to be clear.. it's weird IP from russia or china...

No mod security or CXS installed
/tmp is a directory

it seems that someone launch some program in perl, but no idea how to catch it