lfd reporting Suspicious process running under user

texas90

Member
Jun 10, 2014
22
0
1
cPanel Access Level
Root Administrator
I am getting plenty of these reports from lfd. I don't know what they mean. Can anybody tell me what they mean?

Thanks

Code:
Time:    Fri Aug 21 13:21:47 2015 +0000
PID:     660804 (Parent PID:464171)
Account: accountname
Uptime:  87 seconds


Executable:

/usr/selector/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):
tcp: serverIP:58966 -> 208.78.70.28:25
tcp: serverIP:43553 -> 68.180.130.15:25
tcp: serverIP:58743 -> 216.239.34.10:25
tcp: serverIP:58535 -> 192.162.217.4:25
tcp: serverIP:43697 -> 193.252.22.65:25
tcp: serverIP:53717 -> 207.46.163.215:25


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00d52000 r-xp 00000000 08:03 5520411                            /usr/selector/php
00f51000-01018000 rw-p 00951000 08:03 5520411                            /usr/selector/php
01018000-0103c000 rw-p 00000000 00:00 002320000-025f6000 rw-p 00000000 00:00 0                                  [heap]
7f28e8000000-7f28e8021000 rw-p 00000000 00:00 0
7f28e8021000-7f28ec000000 ---p 00000000 00:00 0
7f28ee52f000-7f28ee778000 rw-p 00000000 00:00 0
7f28ee779000-7f28ee785000 r-xp 00000000 08:03 40370579                   /lib64/libnss_files-2.12.so
7f28ee785000-7f28ee985000 ---p 0000c000 08:03 40370579                   /lib64/libnss_files-2.12.so
7f28ee985000-7f28ee986000 r--p 0000c000 08:03 40370579                   /lib64/libnss_files-2.12.so
7f28ee986000-7f28ee987000 rw-p 0000d000 08:03 40370579                   /lib64/libnss_files-2.12.so
7f28ee987000-7f28ee99d000 r-xp 00000000 08:03 40370982                   /lib64/libgcc_s-4.4.7-
20120601.so.1
7f28ee99d000-7f28eeb9c000 ---p 00016000 08:03 40370982                   /lib64/libgcc_s-4.4.7-20120601.so.1
7f28eeb9c000-7f28eeb9d000 rw-p 00015000 08:03 40370982                   /lib64/libgcc_s-4.4.7-20120601.so.1
7f28eeb9d000-7f28eeb9e000 ---p 00000000 00:00 0
7f28eeb9e000-7f28ef59e000 rwxp 00000000 00:00 0
7f28ef59e000-7f28ef5a4000 r-xp 00000000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7f28ef5a4000-7f28ef7a4000 ---p 00006000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7f28ef7a4000-7f28ef7a5000 rw-p 00006000 08:03 5261057                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7f28ef7a5000-7f28ef85d000 r-xp 00000000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7f28ef85d000-7f28efa5c000 ---p 000b8000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7f28efa5c000-7f28efa61000 rw-p 000b7000 08:03 5261058                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7f28efa61000-7f28efa77000 r-xp 00000000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7f28efa77000-7f28efc77000 ---p 00016000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7f28efc77000-7f28efc7a000 rw-p 00016000 08:03 5261056                    /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7f28efc7a000-7f28efd61000 r-xp 00000000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
7f28efd61000-7f28efe60000 ---p 000e7000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
7f28efe60000-7f28efe7d000 rw-p 000e6000 08:03 5520414                    /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so
7f28efe7d000-7f28efe81000 rw-p 00000000 00:00 0
7f28efe81000-7f28eff91000 r-xp 00000000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
7f28eff91000-7f28f0090000 ---p 00110000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
7f28f0090000-7f28f00a0000 rw-p 0010f000 08:03 5520415                    /usr/local/IonCube/ioncube_loader_lin_5.4.so
7f28f00a0000-7f28f023d000 rw-p 00000000 00:00 0
7f28f023d000-7f28f038d000 r-xp 00000000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
7f28f038d000-7f28f058c000 ---p 00150000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
7f28f058c000-7f28f0596000 rw-p 0014f000 08:03 46924033                   /opt/xml2/lib/libxml2.so.2.9.2
7f28f0596000-7f28f0598000 rw-p 00000000 00:00 0
7f28f0598000-7f28f05f5000 r-xp 00000000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
7f28f05f5000-7f28f07f4000 ---p 0005d000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
7f28f07f4000-7f28f07f7000 rw-p 0005c000 08:03 46924302                   /opt/curlssl/lib/libcurl.so.4.3.0
7f28f07f7000-7f28f07fa000 rw-p 00000000 00:00 0
7f28f07fa000-7f28f083c000 r-xp 00000000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
7f28f083c000-7f28f0a3c000 ---p 00042000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
7f28f0a3c000-7f28f0a3d000 rw-p 00042000 08:03 46923781                   /opt/pcre/lib/libpcre.so.1.2.4
7f28f0a3d000-7f28f0a41000 rw-p 00000000 00:00 0
7f28f0a41000-7f28f0a6b000 r-xp 00000000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f28f0a6b000-7f28f0c6a000 ---p 0002a000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f28f0c6a000-7f28f0c6e000 rw-p 00029000 08:03 46924686                   /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7f28f0c6e000-7f28f0c74000 rw-p 00000000 00:00 0
7f28f0c7e000-7f28f0c7f000 rw-p 00000000 00:00 0
7fff8455a000-7fff8456d000 rwxp 00000000 00:00 0                          [stack]
7fff8456d000-7fff8456f000 rw-p 00000000 00:00 0
7fff845fe000-7fff84600000 r-xp 00000000 00:00 0                          [vdso]
 
Last edited by a moderator:

Infopro

Well-Known Member
May 20, 2003
17,112
513
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
You might want to take a closer look at that account. It seems to be attempting to connect to multiple mail servers, I think.
Note the port mentioned :25

Code:
Network connections by the process (if any):
tcp: serverIP:58966 -> 208.78.70.28:25
tcp: serverIP:43553 -> 68.180.130.15:25
tcp: serverIP:58743 -> 216.239.34.10:25
tcp: serverIP:58535 -> 192.162.217.4:25
tcp: serverIP:43697 -> 193.252.22.65:25
tcp: serverIP:53717 -> 207.46.163.215:25