LFD Suspicious process messages - (deleted) /usr/bin/php

63bus

Active Member
Mar 31, 2007
35
0
156
I posted this on the CSF Forum first but got no response.
Link - ConfigServer Scripts Community Forum - LFD Suspicious process messages - (deleted) /usr/bin/php
I hope it is not an issue to post this here too.

Summary:
I ran EasyApache (version 3.22.5) on my Cpanel / WHM server and since that time I have been getting 10-15 of these messages every hour or so:

Email subject line is:
lfd on <myserver>: Suspicious process running under user <me>
Me being my username, it's not "nobody"
Code:
Executable:

 (deleted)/usr/bin/php

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):



Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log


Memory maps by the process (if any):

00400000-00c4b000 r-xp 00000000 00:1a 26556476                            (deleted)/usr/bin/php
00e4a000-00ed3000 rw-p 0084a000 00:1a 26556476                            (deleted)/usr/bin/php
00ed3000-00ef4000 rw-p 00000000 00:00 0 
029fe000-03114000 rw-p 00000000 00:00 0                                  [heap]
7f7fbb219000-7f7fbd219000 rw-s 00000000 00:20 895385616                   (deleted)/VE13854-SYSV00000000

...
(Full memory map not posted)

Is there something I can check on my server to stop these messages?
I have already restarted both Apache and LFD just in case, the messages continued.

Coincidentally I had just run Easy Apache (3.22.4) the day before and these messages did not occur afterward.

EasyApache 3.22.6 was released so I recompiled using that - no change.
I later re-ran 3.22.6 in order to upgrade to PHP 5.4 from 5.3 as this was something I had been working on moving to for a while. No change.
I have not recompiled using EasyApache 3.22.7 yet so I am still on PHP 5.4.18, not 5.4.19, although I'm guessing this does not matter.
 

63bus

Active Member
Mar 31, 2007
35
0
156
Thanks for the response.
Yes, I have seen that but I do not know what to do.
It sounds like from that text and from a search I did where a CPanel admin pointed someone to this thread:
http://forum.configserver.com/viewtopic.php?f=6&t=2059
I need to restart PHP (Apache) to clear these errors.
I have done that. Multiple times, through WHM and by re-running EasyApache.
I do not want to turn off the notification either, in case of future legitimate messages.

Text there:
# lfd will report processes, even if they're listed in csf.pignore, if they're
# tagged as (deleted) by Linux. This information is provided in Linux under
# /proc/PID/exe. A (deleted) process is one that is running a binary that has
# the inode for the file removed from the file system directory. This usually
# happens when the binary has been replaced due to an upgrade for it by the OS
# vendor or another third party (e.g. cPanel). You need to investigate whether
# this is indeed the case to be sure that the original binary has not been
# replaced by a rootkit or is running an exploit.
#
# Note: If a deleted executable process is detected and reported then lfd will
# not report children of the parent (or the parent itself if a child triggered
# the report) if the parent is also a deleted executable process
#
# To stop lfd reporting such process you need to restart the daemon to which it
# belongs and therefore run the process using the replacement binary (presuming
# one exists). This will normally mean running the associated startup script in
# /etc/init.d/
#
 
Last edited:

quietFinn

Well-Known Member
Feb 4, 2006
2,041
551
493
Finland
cPanel Access Level
Root Administrator
Have you checked if the PID in those messages is the same?

If it is then just kill that process.
 

63bus

Active Member
Mar 31, 2007
35
0
156
Hi,

Have you set the PT_DELETED = value to "0" ? set it to 0 and then restart both csf and lfd.
I don't want to turn it off.

- - - Updated - - -

Have you checked if the PID in those messages is the same?

If it is then just kill that process.
I checked and I am getting 15 emails every hour.
Yes, the PIDs appear to be the same every hour.

Doesn't restarting Apache through WHM kill and restart these processes?
If there is some other process I can do to totally shutdown Apache and kill everything, then restart it so these messages stop, let me know.
 

quietFinn

Well-Known Member
Feb 4, 2006
2,041
551
493
Finland
cPanel Access Level
Root Administrator
I'm afraid that killing that process manually is the best and easiest thing to do.
Just kill it and move on, things happen, and only if it starts happening again you should be worried.
 

63bus

Active Member
Mar 31, 2007
35
0
156
Thanks, I understand.
I did not realize that there were rogue PHP processes running that were causing this error.
I killed all 15 PHP PIDs that were being emailed and have not seen any further errors.

Is this an issue I may experience in the future when re-running EasyApache or was it a random fluke?
I could see the PHP PIDs in question were running since my first EasyApache run on August 19th, when the errors began.

Thank you.