lfd: Suspicious process running under user bintanne

B

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
We got this message from lfd and csf which was installed on oour server.

We are not sure if its a legit process, can any experts out there please advise?

Thank you.

Time: Tue May 8 03:10:51 2007
PID: 10022
Account: bintanne
Uptime: 98 seconds


Executable:

/usr/local/cpanel/cpanel


Command Line (often faked in exploits):

/usr/local/cpanel/cpanel ./frontend/x/files/doupload.html


Network connections by the process (if any):

tcp: 164.56.77.24:2082 -> 222.124.12.94:36550


Files open by the process (if any):

/var/cpanel/lang.cache/english.cache
/var/cpanel/lang.cache/theme/x/english.cache
/home/bintanne/tmp/cpanel.TMP.8bRk2DkFzS3EeQim


Memory maps by the process (if any):

00486000-004a0000 r-xp 00000000 fd:00 36274194 /lib/ld-2.3.6.so
004a0000-004a1000 r-xp 00019000 fd:00 36274194 /lib/ld-2.3.6.so
004a1000-004a2000 rwxp 0001a000 fd:00 36274194 /lib/ld-2.3.6.so
004a4000-005c7000 r-xp 00000000 fd:00 36274203 /lib/libc-2.3.6.so
005c7000-005c9000 r-xp 00122000 fd:00 36274203 /lib/libc-2.3.6.so
005c9000-005cb000 rwxp 00124000 fd:00 36274203 /lib/libc-2.3.6.so
005cb000-005cd000 rwxp 005cb000 00:00 0
005cf000-005d1000 r-xp 00000000 fd:00 36274211 /lib/libdl-2.3.6.so
005d1000-005d2000 r-xp 00001000 fd:00 36274211 /lib/libdl-2.3.6.so
005d2000-005d3000 rwxp 00002000 fd:00 36274211 /lib/libdl-2.3.6.so
005d5000-005f8000 r-xp 00000000 fd:00 36274226 /lib/libm-2.3.6.so
005f8000-005f9000 r-xp 00022000 fd:00 36274226 /lib/libm-2.3.6.so
005f9000-005fa000 rwxp 00023000 fd:00 36274226 /lib/libm-2.3.6.so
00625000-0062a000 r-xp 00000000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062a000-0062b000 r-xp 00004000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062b000-0062c000 rwxp 00005000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062c000-00653000 rwxp 0062c000 00:00 0
0066a000-0067b000 r-xp 00000000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067b000-0067c000 r-xp 00010000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067c000-0067d000 rwxp 00011000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067d000-0067f000 rwxp 0067d000 00:00 0
00a3e000-00a40000 r-xp 00000000 fd:00 36274190 /lib/libutil-2.3.6.so
00a40000-00a41000 r-xp 00001000 fd:00 36274190 /lib/libutil-2.3.6.so
00a41000-00a42000 rwxp 00002000 fd:00 36274190 /lib/libutil-2.3.6.so
08048000-087a9000 r-xp 00000000 fd:00 6031720 /usr/local/cpanel/cpanel
087a9000-08eb5000 rwxp 00761000 fd:00 6031720 /usr/local/cpanel/cpanel
08eb5000-08ebf000 rwxp 08eb5000 00:00 0
09e5c000-0a305000 rwxp 09e5c000 00:00 0 [heap]
b7de6000-b7def000 r-xp 00000000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7def000-b7df0000 r-xp 00008000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7df0000-b7df1000 rwxp 00009000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7df1000-b7df3000 rwxp b7df1000 00:00 0
b7df3000-b7ed0000 r-xp 00000000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
b7ed0000-b7edb000 rwxp 000dc000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
b7edb000-b7edc000 r-xp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
b7edc000-b7edd000 rwxp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
b7edd000-b7ede000 r-xp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
b7ede000-b7edf000 rwxp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
b7edf000-b7ee4000 r-xp 00000000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
b7ee4000-b7ee5000 rwxp 00004000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
b7ee5000-b7ee7000 r-xp 00000000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
b7ee7000-b7ee8000 rwxp 00001000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
b7ee8000-b7ee9000 rwxp b7ee8000 00:00 0
b7ee9000-b7ef9000 r-xp 00000000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
b7ef9000-b7efa000 rwxp 00010000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
b7efa000-b7eff000 r-xp 00000000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
b7eff000-b7f00000 rwxp 00005000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
b7f00000-b7f18000 r-xp 00000000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
b7f18000-b7f19000 rwxp 00017000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
b7f19000-b7f1a000 r-xp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
b7f1a000-b7f1b000 rwxp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
b7f1b000-b7f30000 r-xp 00000000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
b7f30000-b7f31000 rwxp 00014000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
b7f31000-b7f32000 rwxp b7f31000 00:00 0
b7f32000-b7f36000 r-xp 00000000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
b7f36000-b7f37000 rwxp 00003000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
b7f37000-b7f3c000 r-xp 00000000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
b7f3c000-b7f3d000 rwxp 00004000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
b7f3d000-b7f40000 r-xp 00000000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
b7f40000-b7f41000 rwxp 00002000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
b7f41000-b7f43000 r-xp 00000000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
b7f43000-b7f44000 rwxp 00001000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
b7f44000-b7f48000 r-xp 00000000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
b7f48000-b7f49000 rwxp 00003000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
b7f49000-b7f4c000 r-xp 00000000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
b7f4c000-b7f4d000 rwxp 00002000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
b7f4d000-b7f4e000 rwxp b7f4d000 00:00 0
b7f4e000-b7f4f000 r-xp 00000000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
b7f4f000-b7f50000 rwxp 00001000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
b7f50000-b7f54000 r-xp 00000000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
b7f54000-b7f55000 rwxp 00003000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
b7f55000-b7f57000 r-xp 00000000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
b7f57000-b7f58000 rwxp 00002000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
b7f58000-b7f59000 rwxp b7f58000 00:00 0
b7f5d000-b7f63000 rwxp b7f5d000 00:00 0
b7f63000-b7f64000 r-xp b7f63000 00:00 0
bf822000-bf864000 rwxp bf822000 00:00 0 [stack]
 
E

[email protected]

Well-Known Member
Jul 9, 2005
78
0
156
Belgium
brendanrtg said:
We got this message from lfd and csf which was installed on oour server.

We are not sure if its a legit process, can any experts out there please advise?

Thank you.

Time: Tue May 8 03:10:51 2007
PID: 10022
Account: bintanne
Uptime: 98 seconds


Executable:

/usr/local/cpanel/cpanel


Command Line (often faked in exploits):

/usr/local/cpanel/cpanel ./frontend/x/files/doupload.html


Network connections by the process (if any):

tcp: 164.56.77.24:2082 -> 222.124.12.94:36550


Files open by the process (if any):

/var/cpanel/lang.cache/english.cache
/var/cpanel/lang.cache/theme/x/english.cache
/home/bintanne/tmp/cpanel.TMP.8bRk2DkFzS3EeQim


Memory maps by the process (if any):

00486000-004a0000 r-xp 00000000 fd:00 36274194 /lib/ld-2.3.6.so
004a0000-004a1000 r-xp 00019000 fd:00 36274194 /lib/ld-2.3.6.so
004a1000-004a2000 rwxp 0001a000 fd:00 36274194 /lib/ld-2.3.6.so
004a4000-005c7000 r-xp 00000000 fd:00 36274203 /lib/libc-2.3.6.so
005c7000-005c9000 r-xp 00122000 fd:00 36274203 /lib/libc-2.3.6.so
005c9000-005cb000 rwxp 00124000 fd:00 36274203 /lib/libc-2.3.6.so
005cb000-005cd000 rwxp 005cb000 00:00 0
005cf000-005d1000 r-xp 00000000 fd:00 36274211 /lib/libdl-2.3.6.so
005d1000-005d2000 r-xp 00001000 fd:00 36274211 /lib/libdl-2.3.6.so
005d2000-005d3000 rwxp 00002000 fd:00 36274211 /lib/libdl-2.3.6.so
005d5000-005f8000 r-xp 00000000 fd:00 36274226 /lib/libm-2.3.6.so
005f8000-005f9000 r-xp 00022000 fd:00 36274226 /lib/libm-2.3.6.so
005f9000-005fa000 rwxp 00023000 fd:00 36274226 /lib/libm-2.3.6.so
00625000-0062a000 r-xp 00000000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062a000-0062b000 r-xp 00004000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062b000-0062c000 rwxp 00005000 fd:00 36274275 /lib/libcrypt-2.3.6.so
0062c000-00653000 rwxp 0062c000 00:00 0
0066a000-0067b000 r-xp 00000000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067b000-0067c000 r-xp 00010000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067c000-0067d000 rwxp 00011000 fd:00 36274273 /lib/libnsl-2.3.6.so
0067d000-0067f000 rwxp 0067d000 00:00 0
00a3e000-00a40000 r-xp 00000000 fd:00 36274190 /lib/libutil-2.3.6.so
00a40000-00a41000 r-xp 00001000 fd:00 36274190 /lib/libutil-2.3.6.so
00a41000-00a42000 rwxp 00002000 fd:00 36274190 /lib/libutil-2.3.6.so
08048000-087a9000 r-xp 00000000 fd:00 6031720 /usr/local/cpanel/cpanel
087a9000-08eb5000 rwxp 00761000 fd:00 6031720 /usr/local/cpanel/cpanel
08eb5000-08ebf000 rwxp 08eb5000 00:00 0
09e5c000-0a305000 rwxp 09e5c000 00:00 0 [heap]
b7de6000-b7def000 r-xp 00000000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7def000-b7df0000 r-xp 00008000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7df0000-b7df1000 rwxp 00009000 fd:00 36274228 /lib/libnss_files-2.3.6.so
b7df1000-b7df3000 rwxp b7df1000 00:00 0
b7df3000-b7ed0000 r-xp 00000000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
b7ed0000-b7edb000 rwxp 000dc000 fd:00 6127683 /usr/local/cpanel/perl/libperl.so
b7edb000-b7edc000 r-xp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
b7edc000-b7edd000 rwxp 00000000 fd:00 6127677 /usr/local/cpanel/perl/Cpanel/UniqId/UniqId.so
b7edd000-b7ede000 r-xp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
b7ede000-b7edf000 rwxp 00000000 fd:00 6127654 /usr/local/cpanel/perl/Sys/Hostname/Hostname.so
b7edf000-b7ee4000 r-xp 00000000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
b7ee4000-b7ee5000 rwxp 00004000 fd:00 6127758 /usr/local/cpanel/perl/version/vxs/vxs.so
b7ee5000-b7ee7000 r-xp 00000000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
b7ee7000-b7ee8000 rwxp 00001000 fd:00 6127642 /usr/local/cpanel/perl/Cwd/Cwd.so
b7ee8000-b7ee9000 rwxp b7ee8000 00:00 0
b7ee9000-b7ef9000 r-xp 00000000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
b7ef9000-b7efa000 rwxp 00010000 fd:00 6127667 /usr/local/cpanel/perl/Storable/Storable.so
b7efa000-b7eff000 r-xp 00000000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
b7eff000-b7f00000 rwxp 00005000 fd:00 6127623 /usr/local/cpanel/perl/List/Util/Util.so
b7f00000-b7f18000 r-xp 00000000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
b7f18000-b7f19000 rwxp 00017000 fd:00 6127635 /usr/local/cpanel/perl/DBI/DBI.so
b7f19000-b7f1a000 r-xp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
b7f1a000-b7f1b000 rwxp 00000000 fd:00 6127699 /usr/local/cpanel/perl/Lchown/Lchown.so
b7f1b000-b7f30000 r-xp 00000000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
b7f30000-b7f31000 rwxp 00014000 fd:00 6127757 /usr/local/cpanel/perl/POSIX/POSIX.so
b7f31000-b7f32000 rwxp b7f31000 00:00 0
b7f32000-b7f36000 r-xp 00000000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
b7f36000-b7f37000 rwxp 00003000 fd:00 6127640 /usr/local/cpanel/perl/Socket/Socket.so
b7f37000-b7f3c000 r-xp 00000000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
b7f3c000-b7f3d000 rwxp 00004000 fd:00 6127760 /usr/local/cpanel/perl/Time/HiRes/HiRes.so
b7f3d000-b7f40000 r-xp 00000000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
b7f40000-b7f41000 rwxp 00002000 fd:00 6127670 /usr/local/cpanel/perl/Digest/MD5/MD5.so
b7f41000-b7f43000 r-xp 00000000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
b7f43000-b7f44000 rwxp 00001000 fd:00 6127656 /usr/local/cpanel/perl/Filesys/Df/Df.so
b7f44000-b7f48000 r-xp 00000000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
b7f48000-b7f49000 rwxp 00003000 fd:00 6127631 /usr/local/cpanel/perl/IO/Interface/Interface.so
b7f49000-b7f4c000 r-xp 00000000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
b7f4c000-b7f4d000 rwxp 00002000 fd:00 6127626 /usr/local/cpanel/perl/Text/Iconv/Iconv.so
b7f4d000-b7f4e000 rwxp b7f4d000 00:00 0
b7f4e000-b7f4f000 r-xp 00000000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
b7f4f000-b7f50000 rwxp 00001000 fd:00 6127638 /usr/local/cpanel/perl/String/CRC32/CRC32.so
b7f50000-b7f54000 r-xp 00000000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
b7f54000-b7f55000 rwxp 00003000 fd:00 6127629 /usr/local/cpanel/perl/IO/IO.so
b7f55000-b7f57000 r-xp 00000000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
b7f57000-b7f58000 rwxp 00002000 fd:00 6127644 /usr/local/cpanel/perl/Fcntl/Fcntl.so
b7f58000-b7f59000 rwxp b7f58000 00:00 0
b7f5d000-b7f63000 rwxp b7f5d000 00:00 0
b7f63000-b7f64000 r-xp b7f63000 00:00 0
bf822000-bf864000 rwxp bf822000 00:00 0 [stack]
Click to expand...

this is verry suspicious .... check your server immediathly the path to the executable is not even correct.Probably some faked rootkit or something what do rkhunter and CHKrootKit say ?
 
B

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
We did a check and DID find a directory under our server at

/usr/local/cpanel/cpanel

Upon an LS, we found the following files owned by ROOT.

[email protected] [/usr/local/cpanel/Cpanel]# ls
./ cPAddons/ ExampleModule.pm MysqlFE.pm Search.pm
../ cPAddons.pm ExtPerlMod.pm Mysql.pm Serverinfo.pm
Accounting-class.php.inc CPAN/ FileUtils.pm Notify.pm SetLang.pm
Accounting.php.inc cPanelFunctions.pm Form.pm NVData.pm SocketIP.pm
Accounting.pm CpBackup.pm Frontpage.pm ObjCache.pm SpamAssassin.pm
AcctUtils.pm cPCPAN.pm FtpUtils.pm OldAddon2cPAddonsHandler.pm SSH.pm
AddonDomain.pm cPQuota.pm Gzip.pm OpenSSL.pm SSHUtils.pm
Addons.pm cPServices.pm Htaccess.pm OSDATA.pm SSLInfo.pm
AdminBin.pm CSS.pm HttpRequest.pm Park.pm StatManager.pm
ApacheConf.pm DataStore.pm HttpTimer.pm PHP.pm StatsBar.pm
Api2.pm DbUtils.pm HttpUtils.pm PipeHandler.pm Status.pm
ArrayFunc.pm DenyIp.pm iContact.pm PkgInfo.pm StringFunc.pm
Bandwidth.pm DIp.pm ImageManager.pm Postgres.pm SupportRequest.pm
BinCheck.pm DiskUsage.pm Installer.pm Preparse.pm SysPkgs/
BinUtils.pm DNSLib.pm Ips.pm Public/ SysPkgs.pm
BitConvert.pm DnsRoots.pm Lang/ PwCache.pm Template.pm
BoxTrapper.pm DnsUtils.pm LangMods.pm Quota.pm Themes.pm
Branding.pm DomainIp.pm Lang.pm Rand.pm TieLang.pm
CachedCommand.pm DomainLookup.pm LeechProtect.pm Regex.pm UI.pm
Carp.pm DomainTools.pm LoadFile.pm ResellerFunctions.pm UrlTools.pm
CheckData.pm EasyApache/ Logger.pm Resellers.pm UserDomainIp.pm
CheckPass.pm Encoder.pm LogManager.pm RollBack.pm Version.pm
CommentKiller.pm Env.pm Logs.pm SafeDir.pm WebMail.pm
Config.pm Errors.pm MailTools.pm SafeRun.pm
core EventHandler.pm MirrorSearch.pm SafetyBits.pm

We have suspended the account and disable the directory while we install chrootkit to check the server in details.
 
B

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
Hi

We did a chrootkit check and found ALL files under /tmp and /var/tmp with 777 permission, we are thinking of deleting ALL of these files under the directory since its only TMP FILES.

Before we do this, is it safe to delete them or just chmod them to say 644 or 666?
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Otávio Serra lfd - Suspicious process running under user nobody Security 5
eventtex LFD - Suspicious process running under user postgres Security 7
J lfd on server.com: Suspicious process running under user username Security 6
C LFD Suspicious process running under user Security 4
inteldigital LFD LiteSpeed notification: Suspicious process running under user nobody Security 3
Similar threads
lfd - Suspicious process running under user nobody
LFD - Suspicious process running under user postgres
lfd on server.com: Suspicious process running under user username
LFD Suspicious process running under user
LFD LiteSpeed notification: Suspicious process running under user nobody
Top Bottom