lfd - Suspicious process running under user nobody

[Otávio Serra]

Hello,

LFD is notifying me via email 3 or more times per day messages like below:

Time:    Thu Oct 27 08:39:14 2022 -0300
PID:     6479 (Parent PID:6059)
Account: nobody
Uptime:  119 seconds


Executable:

/usr/local/cpanel/cgi-sys/autodiscover.cgi


Command Line (often faked in exploits):

/usr/local/cpanel/cgi-sys/autodiscover.cgi


Network connections by the process (if any):

tcp: 172.30.0.143:41978 -> 34.239.212.66:443


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00457000 r-xp 00000000 103:01 37785561                          /usr/local/cpanel/cgi-sys/autodiscover.cgi
00657000-0065c000 r--p 00057000 103:01 37785561                          /usr/local/cpanel/cgi-sys/autodiscover.cgi
0065c000-00929000 rw-p 0005c000 103:01 37785561                          /usr/local/cpanel/cgi-sys/autodiscover.cgi
00929000-0095f000 rw-p 00000000 00:00 0
02771000-02d55000 rw-p 00000000 00:00 0                                  [heap]
2af526b55000-2af526b77000 r-xp 00000000 103:01 5362                      /usr/lib64/ld-2.17.so
2af526b77000-2af526b7a000 rw-p 00000000 00:00 0
2af526b85000-2af526bce000 rw-p 00000000 00:00 0
2af526bce000-2af526c23000 r--s 00000000 103:01 25166042                  /var/db/nscd/hosts
2af526d76000-2af526d77000 r--p 00021000 103:01 5362                      /usr/lib64/ld-2.17.so
2af526d77000-2af526d78000 rw-p 00022000 103:01 5362                      /usr/lib64/ld-2.17.so
2af526d78000-2af526d79000 rw-p 00000000 00:00 0
2af526d79000-2af526d7d000 r-xp 00000000 103:01 454911498                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/URI/XSEscape/XSEscape.so
2af526d7d000-2af526f7c000 ---p 00004000 103:01 454911498                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/URI/XSEscape/XSEscape.so
2af526f7c000-2af526f7d000 r--p 00003000 103:01 454911498                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/URI/XSEscape/XSEscape.so
2af526f7d000-2af526f7e000 rw-p 00004000 103:01 454911498                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/URI/XSEscape/XSEscape.so
2af526f7e000-2af526f87000 r-xp 00000000 103:01 286074758                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/JSON/XS/XS.so
2af526f87000-2af527187000 ---p 00009000 103:01 286074758                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/JSON/XS/XS.so
2af527187000-2af527188000 r--p 00009000 103:01 286074758                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/JSON/XS/XS.so
2af527188000-2af527189000 rw-p 0000a000 103:01 286074758                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/JSON/XS/XS.so
2af527189000-2af52718b000 r-xp 00000000 103:01 197204637                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/attributes/attributes.so
2af52718b000-2af52738a000 ---p 00002000 103:01 197204637                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/attributes/attributes.so
2af52738a000-2af52738b000 r--p 00001000 103:01 197204637                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/attributes/attributes.so
2af52738b000-2af52738c000 rw-p 00002000 103:01 197204637                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/attributes/attributes.so
2af52738c000-2af527398000 r-xp 00000000 103:01 330577012                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Class/XSAccessor/XSAccessor.so
2af527398000-2af527597000 ---p 0000c000 103:01 330577012                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Class/XSAccessor/XSAccessor.so
2af527597000-2af527598000 r--p 0000b000 103:01 330577012                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Class/XSAccessor/XSAccessor.so
2af527598000-2af527599000 rw-p 0000c000 103:01 330577012                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Class/XSAccessor/XSAccessor.so
2af527599000-2af527891000 r-xp 00000000 103:01 235459763                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/CORE/libperl.so
2af527891000-2af527a91000 ---p 002f8000 103:01 235459763                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/CORE/libperl.so
2af527a91000-2af527aa1000 r--p 002f8000 103:01 235459763                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/CORE/libperl.so
2af527aa1000-2af527aa6000 rw-p 00308000 103:01 235459763                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/CORE/libperl.so
2af527aa6000-2af527aac000 rw-p 00000000 00:00 0
2af527aac000-2af527ac3000 r-xp 00000000 103:01 46106                     /usr/lib64/libpthread-2.17.so
2af527ac3000-2af527cc2000 ---p 00017000 103:01 46106                     /usr/lib64/libpthread-2.17.so
2af527cc2000-2af527cc3000 r--p 00016000 103:01 46106                     /usr/lib64/libpthread-2.17.so
2af527cc3000-2af527cc4000 rw-p 00017000 103:01 46106                     /usr/lib64/libpthread-2.17.so
2af527cc4000-2af527cc8000 rw-p 00000000 00:00 0
2af527cc8000-2af527cdf000 r-xp 00000000 103:01 46085                     /usr/lib64/libnsl-2.17.so
2af527cdf000-2af527ede000 ---p 00017000 103:01 46085                     /usr/lib64/libnsl-2.17.so
2af527ede000-2af527edf000 r--p 00016000 103:01 46085                     /usr/lib64/libnsl-2.17.so
2af527edf000-2af527ee0000 rw-p 00017000 103:01 46085                     /usr/lib64/libnsl-2.17.so
2af527ee0000-2af527ee2000 rw-p 00000000 00:00 0
2af527ee2000-2af527ee4000 r-xp 00000000 103:01 25405                     /usr/lib64/libdl-2.17.so
2af527ee4000-2af5280e4000 ---p 00002000 103:01 25405                     /usr/lib64/libdl-2.17.so
2af5280e4000-2af5280e5000 r--p 00002000 103:01 25405                     /usr/lib64/libdl-2.17.so
2af5280e5000-2af5280e6000 rw-p 00003000 103:01 25405                     /usr/lib64/libdl-2.17.so
2af5280e6000-2af5281e7000 r-xp 00000000 103:01 46082                     /usr/lib64/libm-2.17.so
2af5281e7000-2af5283e6000 ---p 00101000 103:01 46082                     /usr/lib64/libm-2.17.so
2af5283e6000-2af5283e7000 r--p 00100000 103:01 46082                     /usr/lib64/libm-2.17.so
2af5283e7000-2af5283e8000 rw-p 00101000 103:01 46082                     /usr/lib64/libm-2.17.so
2af5283e8000-2af5283f0000 r-xp 00000000 103:01 25402                     /usr/lib64/libcrypt-2.17.so
2af5283f0000-2af5285ef000 ---p 00008000 103:01 25402                     /usr/lib64/libcrypt-2.17.so
2af5285ef000-2af5285f0000 r--p 00007000 103:01 25402                     /usr/lib64/libcrypt-2.17.so
2af5285f0000-2af5285f1000 rw-p 00008000 103:01 25402                     /usr/lib64/libcrypt-2.17.so
2af5285f1000-2af52861f000 rw-p 00000000 00:00 0
2af52861f000-2af528621000 r-xp 00000000 103:01 46123                     /usr/lib64/libutil-2.17.so
2af528621000-2af528820000 ---p 00002000 103:01 46123                     /usr/lib64/libutil-2.17.so
2af528820000-2af528821000 r--p 00001000 103:01 46123                     /usr/lib64/libutil-2.17.so
2af528821000-2af528822000 rw-p 00002000 103:01 46123                     /usr/lib64/libutil-2.17.so
2af528822000-2af5289e6000 r-xp 00000000 103:01 25398                     /usr/lib64/libc-2.17.so
2af5289e6000-2af528be5000 ---p 001c4000 103:01 25398                     /usr/lib64/libc-2.17.so
2af528be5000-2af528be9000 r--p 001c3000 103:01 25398                     /usr/lib64/libc-2.17.so
2af528be9000-2af528beb000 rw-p 001c7000 103:01 25398                     /usr/lib64/libc-2.17.so
2af528beb000-2af528bf0000 rw-p 00000000 00:00 0
2af528bf0000-2af528bf2000 r-xp 00000000 103:01 68231                     /usr/lib64/libfreebl3.so
2af528bf2000-2af528df1000 ---p 00002000 103:01 68231                     /usr/lib64/libfreebl3.so
2af528df1000-2af528df2000 r--p 00001000 103:01 68231                     /usr/lib64/libfreebl3.so
2af528df2000-2af528df3000 rw-p 00002000 103:01 68231                     /usr/lib64/libfreebl3.so
2af528df3000-2af528df7000 r-xp 00000000 103:01 71322125                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/IO/IO.so
2af528df7000-2af528ff6000 ---p 00004000 103:01 71322125                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/IO/IO.so
2af528ff6000-2af528ff7000 r--p 00003000 103:01 71322125                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/IO/IO.so
2af528ff7000-2af528ff8000 rw-p 00004000 103:01 71322125                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/IO/IO.so
2af528ff8000-2af529000000 r-xp 00000000 103:01 151165930                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/Socket/Socket.so
2af529000000-2af529200000 ---p 00008000 103:01 151165930                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/Socket/Socket.so
2af529200000-2af529202000 r--p 00008000 103:01 151165930                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/Socket/Socket.so
2af529202000-2af529203000 rw-p 0000a000 103:01 151165930                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/Socket/Socket.so
2af529203000-2af529267000 r-xp 00000000 103:01 420775988                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
2af529267000-2af529466000 ---p 00064000 103:01 420775988                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
2af529466000-2af529467000 r--p 00063000 103:01 420775988                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
2af529467000-2af529469000 rw-p 00064000 103:01 420775988                 /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
2af529469000-2af5294d0000 r-xp 00000000 103:01 549405                    /usr/lib64/libssl.so.1.0.2k
2af5294d0000-2af5296d0000 ---p 00067000 103:01 549405                    /usr/lib64/libssl.so.1.0.2k
2af5296d0000-2af5296d4000 r--p 00067000 103:01 549405                    /usr/lib64/libssl.so.1.0.2k
2af5296d4000-2af5296db000 rw-p 0006b000 103:01 549405                    /usr/lib64/libssl.so.1.0.2k
2af5296db000-2af529912000 r-xp 00000000 103:01 549403                    /usr/lib64/libcrypto.so.1.0.2k
2af529912000-2af529b11000 ---p 00237000 103:01 549403                    /usr/lib64/libcrypto.so.1.0.2k
2af529b11000-2af529b2d000 r--p 00236000 103:01 549403                    /usr/lib64/libcrypto.so.1.0.2k
2af529b2d000-2af529b3a000 rw-p 00252000 103:01 549403                    /usr/lib64/libcrypto.so.1.0.2k
2af529b3a000-2af529b3e000 rw-p 00000000 00:00 0
2af529b3e000-2af529b53000 r-xp 00000000 103:01 23043                     /usr/lib64/libz.so.1.2.7
2af529b53000-2af529d52000 ---p 00015000 103:01 23043                     /usr/lib64/libz.so.1.2.7
2af529d52000-2af529d53000 r--p 00014000 103:01 23043                     /usr/lib64/libz.so.1.2.7
2af529d53000-2af529d54000 rw-p 00015000 103:01 23043                     /usr/lib64/libz.so.1.2.7
2af529d54000-2af529d9e000 r-xp 00000000 103:01 5317                      /usr/lib64/libgssapi_krb5.so.2.2
2af529d9e000-2af529f9e000 ---p 0004a000 103:01 5317                      /usr/lib64/libgssapi_krb5.so.2.2
2af529f9e000-2af529f9f000 r--p 0004a000 103:01 5317                      /usr/lib64/libgssapi_krb5.so.2.2
2af529f9f000-2af529fa1000 rw-p 0004b000 103:01 5317                      /usr/lib64/libgssapi_krb5.so.2.2
2af529fa1000-2af52a07a000 r-xp 00000000 103:01 5327                      /usr/lib64/libkrb5.so.3.3
2af52a07a000-2af52a279000 ---p 000d9000 103:01 5327                      /usr/lib64/libkrb5.so.3.3
2af52a279000-2af52a287000 r--p 000d8000 103:01 5327                      /usr/lib64/libkrb5.so.3.3
2af52a287000-2af52a28a000 rw-p 000e6000 103:01 5327                      /usr/lib64/libkrb5.so.3.3
2af52a28a000-2af52a28d000 r-xp 00000000 103:01 88248                     /usr/lib64/libcom_err.so.2.1
2af52a28d000-2af52a48c000 ---p 00003000 103:01 88248                     /usr/lib64/libcom_err.so.2.1
2af52a48c000-2af52a48d000 r--p 00002000 103:01 88248                     /usr/lib64/libcom_err.so.2.1
2af52a48d000-2af52a48e000 rw-p 00003000 103:01 88248                     /usr/lib64/libcom_err.so.2.1
2af52a48e000-2af52a4bf000 r-xp 00000000 103:01 50546                     /usr/lib64/libk5crypto.so.3.1
2af52a4bf000-2af52a6be000 ---p 00031000 103:01 50546                     /usr/lib64/libk5crypto.so.3.1
2af52a6be000-2af52a6c0000 r--p 00030000 103:01 50546                     /usr/lib64/libk5crypto.so.3.1
2af52a6c0000-2af52a6c1000 rw-p 00032000 103:01 50546                     /usr/lib64/libk5crypto.so.3.1
2af52a6c1000-2af52a6cf000 r-xp 00000000 103:01 96426                     /usr/lib64/libkrb5support.so.0.1
2af52a6cf000-2af52a8cf000 ---p 0000e000 103:01 96426                     /usr/lib64/libkrb5support.so.0.1
2af52a8cf000-2af52a8d0000 r--p 0000e000 103:01 96426                     /usr/lib64/libkrb5support.so.0.1
2af52a8d0000-2af52a8d1000 rw-p 0000f000 103:01 96426                     /usr/lib64/libkrb5support.so.0.1
2af52a8d1000-2af52a8d4000 r-xp 00000000 103:01 95928                     /usr/lib64/libkeyutils.so.1.5
2af52a8d4000-2af52aad3000 ---p 00003000 103:01 95928                     /usr/lib64/libkeyutils.so.1.5
2af52aad3000-2af52aad4000 r--p 00002000 103:01 95928                     /usr/lib64/libkeyutils.so.1.5
2af52aad4000-2af52aad5000 rw-p 00003000 103:01 95928                     /usr/lib64/libkeyutils.so.1.5
2af52aad5000-2af52aaeb000 r-xp 00000000 103:01 46111                     /usr/lib64/libresolv-2.17.so
2af52aaeb000-2af52aceb000 ---p 00016000 103:01 46111                     /usr/lib64/libresolv-2.17.so
2af52aceb000-2af52acec000 r--p 00016000 103:01 46111                     /usr/lib64/libresolv-2.17.so
2af52acec000-2af52aced000 rw-p 00017000 103:01 46111                     /usr/lib64/libresolv-2.17.so
2af52aced000-2af52acef000 rw-p 00000000 00:00 0
2af52acef000-2af52ad13000 r-xp 00000000 103:01 653261                    /usr/lib64/libselinux.so.1
2af52ad13000-2af52af12000 ---p 00024000 103:01 653261                    /usr/lib64/libselinux.so.1
2af52af12000-2af52af13000 r--p 00023000 103:01 653261                    /usr/lib64/libselinux.so.1
2af52af13000-2af52af14000 rw-p 00024000 103:01 653261                    /usr/lib64/libselinux.so.1
2af52af14000-2af52af16000 rw-p 00000000 00:00 0
2af52af16000-2af52af76000 r-xp 00000000 103:01 95930                     /usr/lib64/libpcre.so.1.2.0
2af52af76000-2af52b176000 ---p 00060000 103:01 95930                     /usr/lib64/libpcre.so.1.2.0
2af52b176000-2af52b177000 r--p 00060000 103:01 95930                     /usr/lib64/libpcre.so.1.2.0
2af52b177000-2af52b178000 rw-p 00061000 103:01 95930                     /usr/lib64/libpcre.so.1.2.0
2af52b178000-2af52b183000 r-xp 00000000 103:01 88082653                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/List/Util/Util.so
2af52b183000-2af52b382000 ---p 0000b000 103:01 88082653                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/List/Util/Util.so
2af52b382000-2af52b383000 r--p 0000a000 103:01 88082653                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/List/Util/Util.so
2af52b383000-2af52b384000 rw-p 0000b000 103:01 88082653                  /usr/local/cpanel/3rdparty/perl/532/lib/perl5/532/x86_64-linux-64int/auto/List/Util/Util.so
2af52b384000-2af52b390000 r-xp 00000000 103:01 46097                     /usr/lib64/libnss_files-2.17.so
2af52b390000-2af52b58f000 ---p 0000c000 103:01 46097                     /usr/lib64/libnss_files-2.17.so
2af52b58f000-2af52b590000 r--p 0000b000 103:01 46097                     /usr/lib64/libnss_files-2.17.so
2af52b590000-2af52b591000 rw-p 0000c000 103:01 46097                     /usr/lib64/libnss_files-2.17.so
2af52b591000-2af52b597000 rw-p 00000000 00:00 0
7ffdbaebc000-7ffdbaedd000 rw-p 00000000 00:00 0                          [stack]
7ffdbaf3a000-7ffdbaf3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Anyone know what's going on?

 

[rbairwell]

If you have (under WHM->Tweak Settings) " Thunderbird and Outlook autodiscover and autoconfig support" enabled, then this script will operate on autodiscover/autoconfig subdomains to help provide relevant information to Outlook/Thunderbird etc to configure it.

To stop this messages, you can either disable that option or in CSF->LFD->Edit lfd ignore file->csf.pignore (Process tracking) and add at the end "exe:/usr/local/cpanel/cgi-sys/autodiscover.cgi" which should cause LFD to ignore that script from then on.

 

[Otávio Serra]

If you have (under WHM->Tweak Settings) " Thunderbird and Outlook autodiscover and autoconfig support" enabled, then this script will operate on autodiscover/autoconfig subdomains to help provide relevant information to Outlook/Thunderbird etc to configure it.

To stop this messages, you can either disable that option or in CSF->LFD->Edit lfd ignore file->csf.pignore (Process tracking) and add at the end "exe:/usr/local/cpanel/cgi-sys/autodiscover.cgi" which should cause LFD to ignore that script from then on.

Ok. But this overload is a problem or not? This behavior is occurring on my server more or less three times a day.

Because after this message, I receive one other message like this:

Time:                    Thu Oct 27 08:39:35 2022 -0300
1 Min Load Avg:          21.58
5 Min Load Avg:          7.69
15 Min Load Avg:         2.81
Running/Total Processes: 2/397

 

[martin MHC]

A load of 21 looks quite high to me, but I think the actual load rating (ie if it's a lot or not for the system to handle) depends on how many Cores you're operating with on your server

 

[rbairwell]

Yep, I agree the load is very high and the autoconfiguration script shouldn't be producing that much load (in fact, it should be negligible).

You say you've had this problem for a while now: do you always get the Suspicious Process email just before the high load issue? (the two issues could be connected or they could be two separate issues - or there could actually be a third issue underlying them. I've not used the autodiscover tool myself (yet) so I can't quite comment - but I'm spinning up a test instance to investigate further (as I want to know myself ; ) )

If you are able at the time, run the following command as root:
netstat -Wat -o state established | egrep '(:http|:https) ' | awk '{print $5 " connected to " $4}' | sort | uniq -c
which will list all established connections to http/https ports (with a count of connections) of which hosts are connecting to your server - it might give some guidance if an attack of some sort is happening. If you've got something like 10+ connections from a single host, then that's the source of your problems. Looking at the "Apache Status" page in WHM might give some clues as well.

 

[Otávio Serra]

I found the problem: my server had few memory.

Output from vmstat:
procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
  r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 13 37 1298568 201152    108 241724   14   13  1857   435    5   10  5  1 91  1  2