The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd reporting Suspicious process running under user

Discussion in 'Security' started by texas90, Aug 21, 2015.

  1. texas90

    texas90 Member

    Joined:
    Jun 10, 2014
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am getting plenty of these reports from lfd. I don't know what they mean. Can anybody tell me what they mean?

    Thanks

    Code:
    Time:    Fri Aug 21 13:21:47 2015 +0000
    PID:     660804 (Parent PID:464171)
    Account: accountname
    Uptime:  87 seconds
    
    
    Executable:
    
    /usr/selector/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php
    
    
    Network connections by the process (if any):
    tcp: serverIP:58966 -> 208.78.70.28:25
    tcp: serverIP:43553 -> 68.180.130.15:25
    tcp: serverIP:58743 -> 216.239.34.10:25
    tcp: serverIP:58535 -> 192.162.217.4:25
    tcp: serverIP:43697 -> 193.252.22.65:25
    tcp: serverIP:53717 -> 207.46.163.215:25
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00400000-00d52000 r-xp 00000000 08:03 5520411                            /usr/selector/php
    00f51000-01018000 rw-p 00951000 08:03 5520411                            /usr/selector/php
    01018000-0103c000 rw-p 00000000 00:00 002320000-025f6000 rw-p 00000000 00:00 0                                  [heap]
    7f28e8000000-7f28e8021000 rw-p 00000000 00:00 0
    7f28e8021000-7f28ec000000 ---p 00000000 00:00 0
    7f28ee52f000-7f28ee778000 rw-p 00000000 00:00 0
    7f28ee779000-7f28ee785000 r-xp 00000000 08:03 40370579                   /lib64/libnss_files-2.12.so
    7f28ee785000-7f28ee985000 ---p 0000c000 08:03 40370579                   /lib64/libnss_files-2.12.so
    7f28ee985000-7f28ee986000 r--p 0000c000 08:03 40370579                   /lib64/libnss_files-2.12.so
    7f28ee986000-7f28ee987000 rw-p 0000d000 08:03 40370579                   /lib64/libnss_files-2.12.so
    7f28ee987000-7f28ee99d000 r-xp 00000000 08:03 40370982                   /lib64/libgcc_s-4.4.7-
    20120601.so.1
    7f28ee99d000-7f28eeb9c000 ---p 00016000 08:03 40370982                   /lib64/libgcc_s-4.4.7-20120601.so.1
    7f28eeb9c000-7f28eeb9d000 rw-p 00015000 08:03 40370982                   /lib64/libgcc_s-4.4.7-20120601.so.1
    7f28eeb9d000-7f28eeb9e000 ---p 00000000 00:00 0
    7f28eeb9e000-7f28ef59e000 rwxp 00000000 00:00 0
    7f28ef59e000-7f28ef5a4000 r-xp 00000000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f28ef5a4000-7f28ef7a4000 ---p 00006000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f28ef7a4000-7f28ef7a5000 rw-p 00006000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7f28ef7a5000-7f28ef85d000 r-xp 00000000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f28ef85d000-7f28efa5c000 ---p 000b8000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f28efa5c000-7f28efa61000 rw-p 000b7000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7f28efa61000-7f28efa77000 r-xp 00000000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f28efa77000-7f28efc77000 ---p 00016000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f28efc77000-7f28efc7a000 rw-p 00016000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7f28efc7a000-7f28efd61000 r-xp 00000000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
    7f28efd61000-7f28efe60000 ---p 000e7000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
    7f28efe60000-7f28efe7d000 rw-p 000e6000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
    7f28efe7d000-7f28efe81000 rw-p 00000000 00:00 0
    7f28efe81000-7f28eff91000 r-xp 00000000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f28eff91000-7f28f0090000 ---p 00110000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f28f0090000-7f28f00a0000 rw-p 0010f000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7f28f00a0000-7f28f023d000 rw-p 00000000 00:00 0
    7f28f023d000-7f28f038d000 r-xp 00000000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
    7f28f038d000-7f28f058c000 ---p 00150000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
    7f28f058c000-7f28f0596000 rw-p 0014f000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
    7f28f0596000-7f28f0598000 rw-p 00000000 00:00 0
    7f28f0598000-7f28f05f5000 r-xp 00000000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
    7f28f05f5000-7f28f07f4000 ---p 0005d000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
    7f28f07f4000-7f28f07f7000 rw-p 0005c000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
    7f28f07f7000-7f28f07fa000 rw-p 00000000 00:00 0
    7f28f07fa000-7f28f083c000 r-xp 00000000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
    7f28f083c000-7f28f0a3c000 ---p 00042000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
    7f28f0a3c000-7f28f0a3d000 rw-p 00042000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
    7f28f0a3d000-7f28f0a41000 rw-p 00000000 00:00 0
    7f28f0a41000-7f28f0a6b000 r-xp 00000000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f28f0a6b000-7f28f0c6a000 ---p 0002a000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f28f0c6a000-7f28f0c6e000 rw-p 00029000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7f28f0c6e000-7f28f0c74000 rw-p 00000000 00:00 0
    7f28f0c7e000-7f28f0c7f000 rw-p 00000000 00:00 0
    7fff8455a000-7fff8456d000 rwxp 00000000 00:00 0                          [stack]
    7fff8456d000-7fff8456f000 rw-p 00000000 00:00 0
    7fff845fe000-7fff84600000 r-xp 00000000 00:00 0                          [vdso]
    
     
    #1 texas90, Aug 21, 2015
    Last edited by a moderator: Aug 21, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might want to take a closer look at that account. It seems to be attempting to connect to multiple mail servers, I think.
    Note the port mentioned :25

    Code:
    Network connections by the process (if any):
    tcp: serverIP:58966 -> 208.78.70.28:25
    tcp: serverIP:43553 -> 68.180.130.15:25
    tcp: serverIP:58743 -> 216.239.34.10:25
    tcp: serverIP:58535 -> 192.162.217.4:25
    tcp: serverIP:43697 -> 193.252.22.65:25
    tcp: serverIP:53717 -> 207.46.163.215:25
    
     
  3. texas90

    texas90 Member

    Joined:
    Jun 10, 2014
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Why would an account want to connect to a remote mail server?
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    No clue. Spamming?
     
Loading...

Share This Page