Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspect process /sbin/klogd -c 1 -x -x and sync_supers

Discussion in 'Security' started by g18c, Jan 23, 2017.

Tags:
  1. g18c

    g18c Member

    Joined:
    Jul 7, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    I am getting CSF/LFD alerts regarding suspicious scripts.

    I have paused the process in question ,examined the associated process into in /proc/{suspect-pid}/ but i cant for the life of me find the script that is running.

    I have scanned the users directory with malware scanner and none can be found.

    Any pointers on finding the script that is running please?
    Code:
    Time:         Mon Jan 23 10:00:15 2017 +0400
    Account:      useraccount
    Resource:     Process Time
    Exceeded:     2309055 > 1800 (seconds)
    Executable:   /usr/bin/perl
    Command Line: /sbin/klogd -c 1 -x -x
    PID:          59542 (Parent PID:59542)
    Killed:       No
    
    Time:    Mon Jan 23 10:00:15 2017 +0400
    PID:     16592 (Parent PID:16592)
    Account: useraccount
    Uptime:  307081 seconds
    
    
    Executable:
    
    /usr/bin/perl
    
    Command Line (often faked in exploits):
    
    [sync_supers]             
    
    Network connections by the process (if any):
    
    tcp: 100.200.20.10:46281 -> 107.161.18.191:443
    
    Files open by the process (if any):
    
    /var/cpanel/locale/en.cdb.60070 (deleted)
    
    Memory maps by the process (if any):
    
    00400000-00402000 r-xp 00000000 fd:00 134502858                          /usr/bin/perl
    00601000-00602000 r--p 00001000 fd:00 134502858                          /usr/bin/perl
    00602000-00603000 rw-p 00002000 fd:00 134502858                          /usr/bin/perl
    0175d000-019b1000 rw-p 00000000 00:00 0                                  [heap]
    7f49fb54c000-7f49fb554000 r-xp 00000000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb554000-7f49fb754000 ---p 00008000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb754000-7f49fb756000 r--p 00008000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb756000-7f49fb757000 rw-p 0000a000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb757000-7f49fb75b000 r-xp 00000000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb75b000-7f49fb95a000 ---p 00004000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95a000-7f49fb95b000 r--p 00003000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95b000-7f49fb95c000 rw-p 00004000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95c000-7f49fb95e000 r-xp 00000000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fb95e000-7f49fbb5d000 ---p 00002000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5d000-7f49fbb5e000 r--p 00001000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5e000-7f49fbb5f000 rw-p 00002000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5f000-7f49fbd15000 r-xp 00000000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbd15000-7f49fbf15000 ---p 001b6000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf15000-7f49fbf19000 r--p 001b6000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf19000-7f49fbf1b000 rw-p 001ba000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf1b000-7f49fbf20000 rw-p 00000000 00:00 0
    7f49fbf20000-7f49fbf37000 r-xp 00000000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fbf37000-7f49fc136000 ---p 00017000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc136000-7f49fc137000 r--p 00016000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc137000-7f49fc138000 rw-p 00017000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc138000-7f49fc13c000 rw-p 00000000 00:00 0
    7f49fc13c000-7f49fc13e000 r-xp 00000000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc13e000-7f49fc33d000 ---p 00002000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33d000-7f49fc33e000 r--p 00001000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33e000-7f49fc33f000 rw-p 00002000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33f000-7f49fc347000 r-xp 00000000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc347000-7f49fc546000 ---p 00008000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc546000-7f49fc547000 r--p 00007000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc547000-7f49fc548000 rw-p 00008000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc548000-7f49fc576000 rw-p 00000000 00:00 0
    7f49fc576000-7f49fc676000 r-xp 00000000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc676000-7f49fc876000 ---p 00100000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc876000-7f49fc877000 r--p 00100000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc877000-7f49fc878000 rw-p 00101000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc878000-7f49fc87a000 r-xp 00000000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fc87a000-7f49fca7a000 ---p 00002000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7a000-7f49fca7b000 r--p 00002000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7b000-7f49fca7c000 rw-p 00003000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7c000-7f49fca92000 r-xp 00000000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fca92000-7f49fcc91000 ---p 00016000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc91000-7f49fcc92000 r--p 00015000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc92000-7f49fcc93000 rw-p 00016000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc93000-7f49fcc95000 rw-p 00000000 00:00 0
    7f49fcc95000-7f49fccab000 r-xp 00000000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fccab000-7f49fceab000 ---p 00016000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fceab000-7f49fceac000 r--p 00016000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fceac000-7f49fcead000 rw-p 00017000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fcead000-7f49fceaf000 rw-p 00000000 00:00 0
    7f49fceaf000-7f49fd032000 r-xp 00000000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd032000-7f49fd232000 ---p 00183000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd232000-7f49fd236000 r--p 00183000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd236000-7f49fd23c000 rw-p 00187000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd23c000-7f49fd23d000 rw-p 00000000 00:00 0
    7f49fd23d000-7f49fd25d000 r-xp 00000000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd44a000-7f49fd451000 rw-p 00000000 00:00 0
    7f49fd45b000-7f49fd45c000 rw-p 00000000 00:00 0
    7f49fd45c000-7f49fd45d000 r--p 0001f000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd45d000-7f49fd45e000 rw-p 00020000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd45e000-7f49fd45f000 rw-p 00000000 00:00 0
    7ffd3a19c000-7ffd3a1bd000 rw-p 00000000 00:00 0                          [stack]
    7ffd3a1c1000-7ffd3a1c3000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    Time:         Mon Jan 23 10:00:15 2017 +0400
    Account:      useraccount
    Resource:     Process Time
    Exceeded:     182972 > 1800 (seconds)
    Executable:   /usr/bin/perl
    Command Line: [sync_supers]             
    PID:          4613 (Parent PID:4613)
    Killed:       No
    
     
    #1 g18c, Jan 23, 2017
    Last edited by a moderator: Jan 23, 2017
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice