The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd: Suspicious process running under user nobody

Discussion in 'General Discussion' started by RACKSET, Sep 19, 2007.

  1. RACKSET

    RACKSET Active Member

    Joined:
    Apr 28, 2006
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    localhost
    Hello,

    We get multiple lfd alerts, saying suspicious process running under user nobody.

    Executable:

    /usr/local/cpanel/bin/cpwrap

    Command Line (often faked in exploits):

    /usr/local/cpanel/bin/eximwrap GETDISKUSED SomeUser SomeDomain.Com

    Network connections by the process (if any):

    tcp: 72.x.x.x:25 -> 202.x.x.x:27302 (dest IP changes in each alert)
    tcp: 72..x.x.x:25 -> 202.x.x.x:27302

    Files open by the process (if any):

    /dev/null
    /dev/null
    /etc/relayhosts
    /etc/rblbypass
    /etc/localdomains
    /etc/userdomains


    We have checked the file and it linked to cpwrap on the same directory. I see multiple files on /usr/local/cpanel/bin/ that pointing to cpwrap.

    I want to make sure, it is normal and the server is not affected by some exploit.

    Please see attached image for details.
     

    Attached Files:

  2. tgibobby

    tgibobby Active Member

    Joined:
    Apr 12, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    "/usr/local/cpanel/bin/cpwrap" looks to be cpanel's binary. The process should be cpanel mail service related and shouldnt be a problem. I still need to confirm this.
     
    #2 tgibobby, Sep 19, 2007
    Last edited: Sep 19, 2007
  3. mrcbrown

    mrcbrown Well-Known Member

    Joined:
    Jun 5, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Add it to the LFD ignored processes, if you have it setup to verify quota before accepting mail this runs, ALOT, thus sometimes if it's got a lot queued up some will hold - it's a cPanel binary, so you should be safe.
     
  4. RACKSET

    RACKSET Active Member

    Joined:
    Apr 28, 2006
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    localhost
  5. RayM

    RayM Registered

    Joined:
    May 31, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    We are receiving hundreds of emails from the server with the following. Any help is much appreciated.

    Time: Thu Feb 21 09:29:11 2008
    PID: 27754
    Account: nobody
    Uptime: 65362 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/local/apache/bin/httpd -DSSL


    Network connections by the process (if any):

    tcp: 0.0.0.0:80 -> 0.0.0.0:0
    tcp: 0.0.0.0:443 -> 0.0.0.0:0
    tcp: 67.18.xxx.xx:37327 -> 201.xx.xxx.xx:6667


    Files open by the process (if any):

    /dev/null
    //usr/local/apache/domlogs/amarikengothyk.trbphotography.com
    /usr/local/apache/domlogs/amarikengothyk.trbphotography.com-bytes_log
    /usr/local/apache/domlogs/mail.srgravesarch.com
    /usr/local/apache/domlogs/mike.koliner.com-bytes_log
    /usr/local/apache/domlogs/lexi.koliner.com
    /usr/local/apache/domlogs/lexi.koliner.com-bytes_log
    /usr/local/apache/domlogs/jon.koliner.com
    /usr/local/apache/domlogs/jon.koliner.com-bytes_log
    /usr/local/apache/domlogs/razvanduta.in2design.us
    /usr/local/apache/domlogs/razvanduta.in2design.us-bytes_log
    /usr/local/apache/domlogs/admin.elamericano.com-bytes_log
    /usr/local/apache/domlogs/weddings.edgefactory.com
    /usr/local/apache/domlogs/patsy-tribute.edgefactory.com
    /usr/local/apache/domlogs/stjohnabbey.org
    /usr/local/apache/domlogs/stjohnabbey.org-bytes_log
    /usr/local/apache/logs/ssl_mutex.23541 (deleted)
    /tmp/ZCUDQale5Q (deleted)


    Memory maps by the process (if any):

    00173000-00185000 r-xp 00000000 08:03 524306 /lib/libnsl-2.3.2.so
    00185000-00186000 rw-p 00012000 08:03 524306 /lib/libnsl-2.3.2.so
    00186000-00188000 rw-p 00000000 00:00 0
    001b3000-001d4000 r-xp 00000000 08:03 2687181 /lib/tls/libm-2.3.2.so
    001d4000-001d5000 rw-p 00021000 08:03 2687181 /lib/tls/libm-2.3.2.so
    001d5000-00308000 r-xp 00000000 08:03 2688215 /lib/tls/libc-2.3.2.so
    00308000-0030b000 rw-p 00132000 08:03 2688215 /lib/tls/libc-2.3.2.so
    0030b000-0030e000 rw-p 00000000 00:00 0
    00378000-0037d000 r-xp 00000000 08:03 524425 /lib/libcrypt-2.3.2.so
    0037d000-0037e000 rw-p 00004000 08:03 524425 /lib/libcrypt-2.3.2.so
    0037e000-003a5000 rw-p 00000000 00:00 0
    003b7000-003bb000 r-xp 00000000 08:03 524319 /lib/libnss_dns-2.3.2.so
    003bb000-003bc000 rw-p 00003000 08:03 524319 /lib/libnss_dns-2.3.2.so
    0052b000-00530000 r-xp 00000000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00530000-00531000 rw-p 00004000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    005b3000-005b5000 r-xp 00000000 08:03 524426 /lib/libdl-2.3.2.so
    005b5000-005b6000 rw-p 00001000 08:03 524426 /lib/libdl-2.3.2.so
    0080a000-0080c000 r-xp 00000000 08:03 524340 /lib/libutil-2.3.2.so
    0080c000-0080d000 rw-p 00001000 08:03 524340 /lib/libutil-2.3.2.so
    008b1000-008c0000 r-xp 00000000 08:03 524334 /lib/libresolv-2.3.2.so
    008c0000-008c1000 rw-p 0000f000 08:03 524334 /lib/libresolv-2.3.2.so
    008c1000-008c3000 rw-p 00000000 00:00 0
    00c02000-00c05000 r-xp 00000000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00c05000-00c06000 rw-p 00002000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00d1d000-00d28000 r-xp 00000000 08:03 524433 /lib/libnss_files-2.3.2.so
    00d28000-00d29000 rw-p 0000a000 08:03 524433 /lib/libnss_files-2.3.2.so
    00e21000-00e36000 r-xp 00000000 08:03 524401 /lib/ld-2.3.2.so
    00e36000-00e37000 rw-p 00015000 08:03 524401 /lib/ld-2.3.2.so
    08048000-0810f000 r-xp 00000000 08:03 1131736 /usr/bin/perl
    0810f000-08118000 rw-p 000c7000 08:03 1131736 /usr/bin/perl
    08118000-0811a000 rw-p 00000000 00:00 0
    08bcf000-08d5b000 rw-p 00000000 00:00 0
    b75e9000-b75eb000 rw-p 00000000 00:00 0
    bfff5000-c0000000 rw-p ffff8000 00:00 0
     
Loading...

Share This Page