The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD Suspicious process messages - (deleted) /usr/bin/php

Discussion in 'Security' started by 63bus, Aug 27, 2013.

  1. 63bus

    63bus Active Member

    Joined:
    Mar 31, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I posted this on the CSF Forum first but got no response.
    Link - ConfigServer Scripts Community Forum - LFD Suspicious process messages - (deleted) /usr/bin/php
    I hope it is not an issue to post this here too.

    Summary:
    I ran EasyApache (version 3.22.5) on my Cpanel / WHM server and since that time I have been getting 10-15 of these messages every hour or so:

    Email subject line is:
    lfd on <myserver>: Suspicious process running under user <me>
    Me being my username, it's not "nobody"
    Code:
    Executable:
    
     (deleted)/usr/bin/php
    
    The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php
    
    
    Network connections by the process (if any):
    
    
    
    Files open by the process (if any):
    
    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/error_log
    
    
    Memory maps by the process (if any):
    
    00400000-00c4b000 r-xp 00000000 00:1a 26556476                            (deleted)/usr/bin/php
    00e4a000-00ed3000 rw-p 0084a000 00:1a 26556476                            (deleted)/usr/bin/php
    00ed3000-00ef4000 rw-p 00000000 00:00 0 
    029fe000-03114000 rw-p 00000000 00:00 0                                  [heap]
    7f7fbb219000-7f7fbd219000 rw-s 00000000 00:20 895385616                   (deleted)/VE13854-SYSV00000000
    
    ...
    
    (Full memory map not posted)

    Is there something I can check on my server to stop these messages?
    I have already restarted both Apache and LFD just in case, the messages continued.

    Coincidentally I had just run Easy Apache (3.22.4) the day before and these messages did not occur afterward.

    EasyApache 3.22.6 was released so I recompiled using that - no change.
    I later re-ran 3.22.6 in order to upgrade to PHP 5.4 from 5.3 as this was something I had been working on moving to for a while. No change.
    I have not recompiled using EasyApache 3.22.7 yet so I am still on PHP 5.4.18, not 5.4.19, although I'm guessing this does not matter.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In CSF configuration, locate this setting:
    PT_DELETED

    A proper description is there for you.
     
  3. 63bus

    63bus Active Member

    Joined:
    Mar 31, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the response.
    Yes, I have seen that but I do not know what to do.
    It sounds like from that text and from a search I did where a CPanel admin pointed someone to this thread:
    http://forum.configserver.com/viewtopic.php?f=6&t=2059
    I need to restart PHP (Apache) to clear these errors.
    I have done that. Multiple times, through WHM and by re-running EasyApache.
    I do not want to turn off the notification either, in case of future legitimate messages.

    Text there:
     
    #3 63bus, Aug 27, 2013
    Last edited: Aug 27, 2013
  4. inthukha

    inthukha Well-Known Member

    Joined:
    Jul 17, 2013
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    Have you set the PT_DELETED = value to "0" ? set it to 0 and then restart both csf and lfd.
     
  5. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Have you checked if the PID in those messages is the same?

    If it is then just kill that process.
     
  6. 63bus

    63bus Active Member

    Joined:
    Mar 31, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I don't want to turn it off.

    - - - Updated - - -

    I checked and I am getting 15 emails every hour.
    Yes, the PIDs appear to be the same every hour.

    Doesn't restarting Apache through WHM kill and restart these processes?
    If there is some other process I can do to totally shutdown Apache and kill everything, then restart it so these messages stop, let me know.
     
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    I'm afraid that killing that process manually is the best and easiest thing to do.
    Just kill it and move on, things happen, and only if it starts happening again you should be worried.
     
  8. 63bus

    63bus Active Member

    Joined:
    Mar 31, 2007
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, I understand.
    I did not realize that there were rogue PHP processes running that were causing this error.
    I killed all 15 PHP PIDs that were being emailed and have not seen any further errors.

    Is this an issue I may experience in the future when re-running EasyApache or was it a random fluke?
    I could see the PHP PIDs in question were running since my first EasyApache run on August 19th, when the errors began.

    Thank you.
     
Loading...

Share This Page