lfd: Suspicious process running under user nobody

[RACKSET]

Hello,

We get multiple lfd alerts, saying suspicious process running under user nobody.

Executable:

/usr/local/cpanel/bin/cpwrap

Command Line (often faked in exploits):

/usr/local/cpanel/bin/eximwrap GETDISKUSED SomeUser SomeDomain.Com

Network connections by the process (if any):

tcp: 72.x.x.x:25 -> 202.x.x.x:27302 (dest IP changes in each alert)
tcp: 72..x.x.x:25 -> 202.x.x.x:27302

Files open by the process (if any):

/dev/null
/dev/null
/etc/relayhosts
/etc/rblbypass
/etc/localdomains
/etc/userdomains


We have checked the file and it linked to cpwrap on the same directory. I see multiple files on /usr/local/cpanel/bin/ that pointing to cpwrap.

I want to make sure, it is normal and the server is not affected by some exploit.

Please see attached image for details.

 

[tgibobby]

"/usr/local/cpanel/bin/cpwrap" looks to be cpanel's binary. The process should be cpanel mail service related and shouldnt be a problem. I still need to confirm this.

 

[mrcbrown]

Add it to the LFD ignored processes, if you have it setup to verify quota before accepting mail this runs, ALOT, thus sometimes if it's got a lot queued up some will hold - it's a cPanel binary, so you should be safe.

 

[RACKSET]

Thank you, I see Chirpy released a new CSF addressing this issue.
http://www.configserver.com/blog/index.php?itemid=236

I have chmoded cpwrap to 000, and now I should chmod it 0755, please advise.

 

[RayM]

We are receiving hundreds of emails from the server with the following. Any help is much appreciated.

Time: Thu Feb 21 09:29:11 2008
PID: 27754
Account: nobody
Uptime: 65362 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

/usr/local/apache/bin/httpd -DSSL


Network connections by the process (if any):

tcp: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:443 -> 0.0.0.0:0
tcp: 67.18.xxx.xx:37327 -> 201.xx.xxx.xx:6667


Files open by the process (if any):

/dev/null
//usr/local/apache/domlogs/amarikengothyk.trbphotography.com
/usr/local/apache/domlogs/amarikengothyk.trbphotography.com-bytes_log
/usr/local/apache/domlogs/mail.srgravesarch.com
/usr/local/apache/domlogs/mike.koliner.com-bytes_log
/usr/local/apache/domlogs/lexi.koliner.com
/usr/local/apache/domlogs/lexi.koliner.com-bytes_log
/usr/local/apache/domlogs/jon.koliner.com
/usr/local/apache/domlogs/jon.koliner.com-bytes_log
/usr/local/apache/domlogs/razvanduta.in2design.us
/usr/local/apache/domlogs/razvanduta.in2design.us-bytes_log
/usr/local/apache/domlogs/admin.elamericano.com-bytes_log
/usr/local/apache/domlogs/weddings.edgefactory.com
/usr/local/apache/domlogs/patsy-tribute.edgefactory.com
/usr/local/apache/domlogs/stjohnabbey.org
/usr/local/apache/domlogs/stjohnabbey.org-bytes_log
/usr/local/apache/logs/ssl_mutex.23541 (deleted)
/tmp/ZCUDQale5Q (deleted)


Memory maps by the process (if any):

00173000-00185000 r-xp 00000000 08:03 524306 /lib/libnsl-2.3.2.so
00185000-00186000 rw-p 00012000 08:03 524306 /lib/libnsl-2.3.2.so
00186000-00188000 rw-p 00000000 00:00 0
001b3000-001d4000 r-xp 00000000 08:03 2687181 /lib/tls/libm-2.3.2.so
001d4000-001d5000 rw-p 00021000 08:03 2687181 /lib/tls/libm-2.3.2.so
001d5000-00308000 r-xp 00000000 08:03 2688215 /lib/tls/libc-2.3.2.so
00308000-0030b000 rw-p 00132000 08:03 2688215 /lib/tls/libc-2.3.2.so
0030b000-0030e000 rw-p 00000000 00:00 0
00378000-0037d000 r-xp 00000000 08:03 524425 /lib/libcrypt-2.3.2.so
0037d000-0037e000 rw-p 00004000 08:03 524425 /lib/libcrypt-2.3.2.so
0037e000-003a5000 rw-p 00000000 00:00 0
003b7000-003bb000 r-xp 00000000 08:03 524319 /lib/libnss_dns-2.3.2.so
003bb000-003bc000 rw-p 00003000 08:03 524319 /lib/libnss_dns-2.3.2.so
0052b000-00530000 r-xp 00000000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
00530000-00531000 rw-p 00004000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
005b3000-005b5000 r-xp 00000000 08:03 524426 /lib/libdl-2.3.2.so
005b5000-005b6000 rw-p 00001000 08:03 524426 /lib/libdl-2.3.2.so
0080a000-0080c000 r-xp 00000000 08:03 524340 /lib/libutil-2.3.2.so
0080c000-0080d000 rw-p 00001000 08:03 524340 /lib/libutil-2.3.2.so
008b1000-008c0000 r-xp 00000000 08:03 524334 /lib/libresolv-2.3.2.so
008c0000-008c1000 rw-p 0000f000 08:03 524334 /lib/libresolv-2.3.2.so
008c1000-008c3000 rw-p 00000000 00:00 0
00c02000-00c05000 r-xp 00000000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
00c05000-00c06000 rw-p 00002000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
00d1d000-00d28000 r-xp 00000000 08:03 524433 /lib/libnss_files-2.3.2.so
00d28000-00d29000 rw-p 0000a000 08:03 524433 /lib/libnss_files-2.3.2.so
00e21000-00e36000 r-xp 00000000 08:03 524401 /lib/ld-2.3.2.so
00e36000-00e37000 rw-p 00015000 08:03 524401 /lib/ld-2.3.2.so
08048000-0810f000 r-xp 00000000 08:03 1131736 /usr/bin/perl
0810f000-08118000 rw-p 000c7000 08:03 1131736 /usr/bin/perl
08118000-0811a000 rw-p 00000000 00:00 0
08bcf000-08d5b000 rw-p 00000000 00:00 0
b75e9000-b75eb000 rw-p 00000000 00:00 0
bfff5000-c0000000 rw-p ffff8000 00:00 0