The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd: Suspicious process running under user bintanne

Discussion in 'General Discussion' started by brendanrtg, May 8, 2007.

  1. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    We got this message from lfd and csf which was installed on oour server.

    We are not sure if its a legit process, can any experts out there please advise?

    Thank you.

    Time: Tue May 8 03:10:51 2007
    PID: 10022
    Account: bintanne
    Uptime: 98 seconds


    Executable:

    /usr/local/cpanel/cpanel


    Command Line (often faked in exploits):

    /usr/local/cpanel/cpanel ./frontend/x/files/doupload.html


    Network connections by the process (if any):

    tcp: 164.56.77.24:2082 -> 222.124.12.94:36550


    Files open by the process (if any):

    /var/cpanel/lang.cache/english.cache
    /var/cpanel/lang.cache/theme/x/english.cache
    /home/bintanne/tmp/cpanel.TMP.8bRk2DkFzS3EeQim


    Memory maps by the process (if any):

    00486000-004a0000 r-xp 00000000 fd:00 36274194 /lib/ld-2.3.6.so
    004a0000-004a1000 r-xp 00019000 fd:00 36274194 /lib/ld-2.3.6.so
    004a1000-004a2000 rwxp 0001a000 fd:00 36274194 /lib/ld-2.3.6.so
    004a4000-005c7000 r-xp 00000000 fd:00 36274203 /lib/libc-2.3.6.so
    005c7000-005c9000 r-xp 00122000 fd:00 36274203 /lib/libc-2.3.6.so
    005c9000-005cb000 rwxp 00124000 fd:00 36274203 /lib/libc-2.3.6.so
    005cb000-005cd000 rwxp 005cb000 00:00 0
    005cf000-005d1000 r-xp 00000000 fd:00 36274211 /lib/libdl-2.3.6.so
    005d1000-005d2000 r-xp 00001000 fd:00 36274211 /lib/libdl-2.3.6.so
    005d2000-005d3000 rwxp 00002000 fd:00 36274211 /lib/libdl-2.3.6.so
    005d5000-005f8000 r-xp 00000000 fd:00 36274226 /lib/libm-2.3.6.so
    005f8000-005f9000 r-xp 00022000 fd:00 36274226 /lib/libm-2.3.6.so
    005f9000-005fa000 rwxp 00023000 fd:00 36274226 /lib/libm-2.3.6.so
    00625000-0062a000 r-xp 00000000 fd:00 36274275 /lib/libcrypt-2.3.6.so
    0062a000-0062b000 r-xp 00004000 fd:00 36274275 /lib/libcrypt-2.3.6.so
    0062b000-0062c000 rwxp 00005000 fd:00 36274275 /lib/libcrypt-2.3.6.so
    0062c000-00653000 rwxp 0062c000 00:00 0
    0066a000-0067b000 r-xp 00000000 fd:00 36274273 /lib/libnsl-2.3.6.so
    0067b000-0067c000 r-xp 00010000 fd:00 36274273 /lib/libnsl-2.3.6.so
    0067c000-0067d000 rwxp 00011000 fd:00 36274273 /lib/libnsl-2.3.6.so
    0067d000-0067f000 rwxp 0067d000 00:00 0
    00a3e000-00a40000 r-xp 00000000 fd:00 36274190 /lib/libutil-2.3.6.so
    00a40000-00a41000 r-xp 00001000 fd:00 36274190 /lib/libutil-2.3.6.so
    00a41000-00a42000 rwxp 00002000 fd:00 36274190 /lib/libutil-2.3.6.so
    08048000-087a9000 r-xp 00000000 fd:00 6031720 /usr/local/cpanel/cpanel
    087a9000-08eb5000 rwxp 00761000 fd:00 6031720 /usr/local/cpanel/cpanel
    08eb5000-08ebf000 rwxp 08eb5000 00:00 0
    09e5c000-0a305000 rwxp 09e5c000 00:00 0 [heap]
    b7de6000-b7def000 r-xp 00000000 fd:00 36274228 /lib/libnss_files-2.3.6.so
    b7def000-b7df0000 r-xp 00008000 fd:00 36274228 /lib/libnss_files-2.3.6.so
    b7df0000-b7df1000 rwxp 00009000 fd:00 36274228 /lib/libnss_files-2.3.6.so
    b7df1000-b7df3000 rwxp b7df1000 00:00 0
    b7df3000-b7ed0000 r-xp 00000000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
    b7ed0000-b7edb000 rwxp 000dc000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
    b7edb000-b7edc000 r-xp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
    b7edc000-b7edd000 rwxp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
    b7edd000-b7ede000 r-xp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
    b7ede000-b7edf000 rwxp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
    b7edf000-b7ee4000 r-xp 00000000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
    b7ee4000-b7ee5000 rwxp 00004000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
    b7ee5000-b7ee7000 r-xp 00000000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
    b7ee7000-b7ee8000 rwxp 00001000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
    b7ee8000-b7ee9000 rwxp b7ee8000 00:00 0
    b7ee9000-b7ef9000 r-xp 00000000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
    b7ef9000-b7efa000 rwxp 00010000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
    b7efa000-b7eff000 r-xp 00000000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
    b7eff000-b7f00000 rwxp 00005000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
    b7f00000-b7f18000 r-xp 00000000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
    b7f18000-b7f19000 rwxp 00017000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
    b7f19000-b7f1a000 r-xp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
    b7f1a000-b7f1b000 rwxp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
    b7f1b000-b7f30000 r-xp 00000000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
    b7f30000-b7f31000 rwxp 00014000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
    b7f31000-b7f32000 rwxp b7f31000 00:00 0
    b7f32000-b7f36000 r-xp 00000000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
    b7f36000-b7f37000 rwxp 00003000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
    b7f37000-b7f3c000 r-xp 00000000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
    b7f3c000-b7f3d000 rwxp 00004000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
    b7f3d000-b7f40000 r-xp 00000000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
    b7f40000-b7f41000 rwxp 00002000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
    b7f41000-b7f43000 r-xp 00000000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
    b7f43000-b7f44000 rwxp 00001000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
    b7f44000-b7f48000 r-xp 00000000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
    b7f48000-b7f49000 rwxp 00003000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
    b7f49000-b7f4c000 r-xp 00000000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
    b7f4c000-b7f4d000 rwxp 00002000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
    b7f4d000-b7f4e000 rwxp b7f4d000 00:00 0
    b7f4e000-b7f4f000 r-xp 00000000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
    b7f4f000-b7f50000 rwxp 00001000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
    b7f50000-b7f54000 r-xp 00000000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
    b7f54000-b7f55000 rwxp 00003000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
    b7f55000-b7f57000 r-xp 00000000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
    b7f57000-b7f58000 rwxp 00002000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
    b7f58000-b7f59000 rwxp b7f58000 00:00 0
    b7f5d000-b7f63000 rwxp b7f5d000 00:00 0
    b7f63000-b7f64000 r-xp b7f63000 00:00 0
    bf822000-bf864000 rwxp bf822000 00:00 0 [stack]
     
  2. erik@delphi

    erik@delphi Well-Known Member

    Joined:
    Jul 9, 2005
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium

    this is verry suspicious .... check your server immediathly the path to the executable is not even correct.Probably some faked rootkit or something what do rkhunter and CHKrootKit say ?
     
  3. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    We did a check and DID find a directory under our server at

    /usr/local/cpanel/cpanel

    Upon an LS, we found the following files owned by ROOT.

    root@horizon [/usr/local/cpanel/Cpanel]# ls
    ./ cPAddons/ ExampleModule.pm MysqlFE.pm Search.pm
    ../ cPAddons.pm ExtPerlMod.pm Mysql.pm Serverinfo.pm
    Accounting-class.php.inc CPAN/ FileUtils.pm Notify.pm SetLang.pm
    Accounting.php.inc cPanelFunctions.pm Form.pm NVData.pm SocketIP.pm
    Accounting.pm CpBackup.pm Frontpage.pm ObjCache.pm SpamAssassin.pm
    AcctUtils.pm cPCPAN.pm FtpUtils.pm OldAddon2cPAddonsHandler.pm SSH.pm
    AddonDomain.pm cPQuota.pm Gzip.pm OpenSSL.pm SSHUtils.pm
    Addons.pm cPServices.pm Htaccess.pm OSDATA.pm SSLInfo.pm
    AdminBin.pm CSS.pm HttpRequest.pm Park.pm StatManager.pm
    ApacheConf.pm DataStore.pm HttpTimer.pm PHP.pm StatsBar.pm
    Api2.pm DbUtils.pm HttpUtils.pm PipeHandler.pm Status.pm
    ArrayFunc.pm DenyIp.pm iContact.pm PkgInfo.pm StringFunc.pm
    Bandwidth.pm DIp.pm ImageManager.pm Postgres.pm SupportRequest.pm
    BinCheck.pm DiskUsage.pm Installer.pm Preparse.pm SysPkgs/
    BinUtils.pm DNSLib.pm Ips.pm Public/ SysPkgs.pm
    BitConvert.pm DnsRoots.pm Lang/ PwCache.pm Template.pm
    BoxTrapper.pm DnsUtils.pm LangMods.pm Quota.pm Themes.pm
    Branding.pm DomainIp.pm Lang.pm Rand.pm TieLang.pm
    CachedCommand.pm DomainLookup.pm LeechProtect.pm Regex.pm UI.pm
    Carp.pm DomainTools.pm LoadFile.pm ResellerFunctions.pm UrlTools.pm
    CheckData.pm EasyApache/ Logger.pm Resellers.pm UserDomainIp.pm
    CheckPass.pm Encoder.pm LogManager.pm RollBack.pm Version.pm
    CommentKiller.pm Env.pm Logs.pm SafeDir.pm WebMail.pm
    Config.pm Errors.pm MailTools.pm SafeRun.pm
    core EventHandler.pm MirrorSearch.pm SafetyBits.pm

    We have suspended the account and disable the directory while we install chrootkit to check the server in details.
     
  4. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    We did a chrootkit check and found ALL files under /tmp and /var/tmp with 777 permission, we are thinking of deleting ALL of these files under the directory since its only TMP FILES.

    Before we do this, is it safe to delete them or just chmod them to say 644 or 666?
     
Loading...

Share This Page