Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd: Suspicious process running under user nobody

Discussion in 'General Discussion' started by RACKSET, Sep 19, 2007.

  1. RACKSET

    RACKSET Active Member

    Joined:
    Apr 28, 2006
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    localhost
    Hello,

    We get multiple lfd alerts, saying suspicious process running under user nobody.

    Executable:

    /usr/local/cpanel/bin/cpwrap

    Command Line (often faked in exploits):

    /usr/local/cpanel/bin/eximwrap GETDISKUSED SomeUser SomeDomain.Com

    Network connections by the process (if any):

    tcp: 72.x.x.x:25 -> 202.x.x.x:27302 (dest IP changes in each alert)
    tcp: 72..x.x.x:25 -> 202.x.x.x:27302

    Files open by the process (if any):

    /dev/null
    /dev/null
    /etc/relayhosts
    /etc/rblbypass
    /etc/localdomains
    /etc/userdomains


    We have checked the file and it linked to cpwrap on the same directory. I see multiple files on /usr/local/cpanel/bin/ that pointing to cpwrap.

    I want to make sure, it is normal and the server is not affected by some exploit.

    Please see attached image for details.
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. tgibobby

    tgibobby Active Member

    Joined:
    Apr 12, 2004
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    156
    "/usr/local/cpanel/bin/cpwrap" looks to be cpanel's binary. The process should be cpanel mail service related and shouldnt be a problem. I still need to confirm this.
     
    #2 tgibobby, Sep 19, 2007
    Last edited: Sep 19, 2007
  3. mrcbrown

    mrcbrown Well-Known Member

    Joined:
    Jun 5, 2003
    Messages:
    100
    Likes Received:
    1
    Trophy Points:
    168
    Add it to the LFD ignored processes, if you have it setup to verify quota before accepting mail this runs, ALOT, thus sometimes if it's got a lot queued up some will hold - it's a cPanel binary, so you should be safe.
     
  4. RACKSET

    RACKSET Active Member

    Joined:
    Apr 28, 2006
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    localhost
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. RayM

    RayM Registered

    Joined:
    May 31, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    We are receiving hundreds of emails from the server with the following. Any help is much appreciated.

    Time: Thu Feb 21 09:29:11 2008
    PID: 27754
    Account: nobody
    Uptime: 65362 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/local/apache/bin/httpd -DSSL


    Network connections by the process (if any):

    tcp: 0.0.0.0:80 -> 0.0.0.0:0
    tcp: 0.0.0.0:443 -> 0.0.0.0:0
    tcp: 67.18.xxx.xx:37327 -> 201.xx.xxx.xx:6667


    Files open by the process (if any):

    /dev/null
    //usr/local/apache/domlogs/amarikengothyk.trbphotography.com
    /usr/local/apache/domlogs/amarikengothyk.trbphotography.com-bytes_log
    /usr/local/apache/domlogs/mail.srgravesarch.com
    /usr/local/apache/domlogs/mike.koliner.com-bytes_log
    /usr/local/apache/domlogs/lexi.koliner.com
    /usr/local/apache/domlogs/lexi.koliner.com-bytes_log
    /usr/local/apache/domlogs/jon.koliner.com
    /usr/local/apache/domlogs/jon.koliner.com-bytes_log
    /usr/local/apache/domlogs/razvanduta.in2design.us
    /usr/local/apache/domlogs/razvanduta.in2design.us-bytes_log
    /usr/local/apache/domlogs/admin.elamericano.com-bytes_log
    /usr/local/apache/domlogs/weddings.edgefactory.com
    /usr/local/apache/domlogs/patsy-tribute.edgefactory.com
    /usr/local/apache/domlogs/stjohnabbey.org
    /usr/local/apache/domlogs/stjohnabbey.org-bytes_log
    /usr/local/apache/logs/ssl_mutex.23541 (deleted)
    /tmp/ZCUDQale5Q (deleted)


    Memory maps by the process (if any):

    00173000-00185000 r-xp 00000000 08:03 524306 /lib/libnsl-2.3.2.so
    00185000-00186000 rw-p 00012000 08:03 524306 /lib/libnsl-2.3.2.so
    00186000-00188000 rw-p 00000000 00:00 0
    001b3000-001d4000 r-xp 00000000 08:03 2687181 /lib/tls/libm-2.3.2.so
    001d4000-001d5000 rw-p 00021000 08:03 2687181 /lib/tls/libm-2.3.2.so
    001d5000-00308000 r-xp 00000000 08:03 2688215 /lib/tls/libc-2.3.2.so
    00308000-0030b000 rw-p 00132000 08:03 2688215 /lib/tls/libc-2.3.2.so
    0030b000-0030e000 rw-p 00000000 00:00 0
    00378000-0037d000 r-xp 00000000 08:03 524425 /lib/libcrypt-2.3.2.so
    0037d000-0037e000 rw-p 00004000 08:03 524425 /lib/libcrypt-2.3.2.so
    0037e000-003a5000 rw-p 00000000 00:00 0
    003b7000-003bb000 r-xp 00000000 08:03 524319 /lib/libnss_dns-2.3.2.so
    003bb000-003bc000 rw-p 00003000 08:03 524319 /lib/libnss_dns-2.3.2.so
    0052b000-00530000 r-xp 00000000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    00530000-00531000 rw-p 00004000 08:03 7242705 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    005b3000-005b5000 r-xp 00000000 08:03 524426 /lib/libdl-2.3.2.so
    005b5000-005b6000 rw-p 00001000 08:03 524426 /lib/libdl-2.3.2.so
    0080a000-0080c000 r-xp 00000000 08:03 524340 /lib/libutil-2.3.2.so
    0080c000-0080d000 rw-p 00001000 08:03 524340 /lib/libutil-2.3.2.so
    008b1000-008c0000 r-xp 00000000 08:03 524334 /lib/libresolv-2.3.2.so
    008c0000-008c1000 rw-p 0000f000 08:03 524334 /lib/libresolv-2.3.2.so
    008c1000-008c3000 rw-p 00000000 00:00 0
    00c02000-00c05000 r-xp 00000000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00c05000-00c06000 rw-p 00002000 08:03 8683845 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    00d1d000-00d28000 r-xp 00000000 08:03 524433 /lib/libnss_files-2.3.2.so
    00d28000-00d29000 rw-p 0000a000 08:03 524433 /lib/libnss_files-2.3.2.so
    00e21000-00e36000 r-xp 00000000 08:03 524401 /lib/ld-2.3.2.so
    00e36000-00e37000 rw-p 00015000 08:03 524401 /lib/ld-2.3.2.so
    08048000-0810f000 r-xp 00000000 08:03 1131736 /usr/bin/perl
    0810f000-08118000 rw-p 000c7000 08:03 1131736 /usr/bin/perl
    08118000-0811a000 rw-p 00000000 00:00 0
    08bcf000-08d5b000 rw-p 00000000 00:00 0
    b75e9000-b75eb000 rw-p 00000000 00:00 0
    bfff5000-c0000000 rw-p ffff8000 00:00 0
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice