The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspect process /sbin/klogd -c 1 -x -x and sync_supers

Discussion in 'Security' started by g18c, Jan 23, 2017.

Tags:
  1. g18c

    g18c Member

    Joined:
    Jul 7, 2007
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    I am getting CSF/LFD alerts regarding suspicious scripts.

    I have paused the process in question ,examined the associated process into in /proc/{suspect-pid}/ but i cant for the life of me find the script that is running.

    I have scanned the users directory with malware scanner and none can be found.

    Any pointers on finding the script that is running please?
    Code:
    Time:         Mon Jan 23 10:00:15 2017 +0400
    Account:      useraccount
    Resource:     Process Time
    Exceeded:     2309055 > 1800 (seconds)
    Executable:   /usr/bin/perl
    Command Line: /sbin/klogd -c 1 -x -x
    PID:          59542 (Parent PID:59542)
    Killed:       No
    
    Time:    Mon Jan 23 10:00:15 2017 +0400
    PID:     16592 (Parent PID:16592)
    Account: useraccount
    Uptime:  307081 seconds
    
    
    Executable:
    
    /usr/bin/perl
    
    Command Line (often faked in exploits):
    
    [sync_supers]             
    
    Network connections by the process (if any):
    
    tcp: 100.200.20.10:46281 -> 107.161.18.191:443
    
    Files open by the process (if any):
    
    /var/cpanel/locale/en.cdb.60070 (deleted)
    
    Memory maps by the process (if any):
    
    00400000-00402000 r-xp 00000000 fd:00 134502858                          /usr/bin/perl
    00601000-00602000 r--p 00001000 fd:00 134502858                          /usr/bin/perl
    00602000-00603000 rw-p 00002000 fd:00 134502858                          /usr/bin/perl
    0175d000-019b1000 rw-p 00000000 00:00 0                                  [heap]
    7f49fb54c000-7f49fb554000 r-xp 00000000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb554000-7f49fb754000 ---p 00008000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb754000-7f49fb756000 r--p 00008000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb756000-7f49fb757000 rw-p 0000a000 fd:00 202952772                  /usr/lib64/perl5/vendor_perl/auto/Socket/Socket.so
    7f49fb757000-7f49fb75b000 r-xp 00000000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb75b000-7f49fb95a000 ---p 00004000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95a000-7f49fb95b000 r--p 00003000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95b000-7f49fb95c000 rw-p 00004000 fd:00 67110316                   /usr/lib64/perl5/auto/IO/IO.so
    7f49fb95c000-7f49fb95e000 r-xp 00000000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fb95e000-7f49fbb5d000 ---p 00002000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5d000-7f49fbb5e000 r--p 00001000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5e000-7f49fbb5f000 rw-p 00002000 fd:00 201467880                  /usr/lib64/libfreebl3.so
    7f49fbb5f000-7f49fbd15000 r-xp 00000000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbd15000-7f49fbf15000 ---p 001b6000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf15000-7f49fbf19000 r--p 001b6000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf19000-7f49fbf1b000 rw-p 001ba000 fd:00 201385134                  /usr/lib64/libc-2.17.so
    7f49fbf1b000-7f49fbf20000 rw-p 00000000 00:00 0
    7f49fbf20000-7f49fbf37000 r-xp 00000000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fbf37000-7f49fc136000 ---p 00017000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc136000-7f49fc137000 r--p 00016000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc137000-7f49fc138000 rw-p 00017000 fd:00 202925733                  /usr/lib64/libpthread-2.17.so
    7f49fc138000-7f49fc13c000 rw-p 00000000 00:00 0
    7f49fc13c000-7f49fc13e000 r-xp 00000000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc13e000-7f49fc33d000 ---p 00002000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33d000-7f49fc33e000 r--p 00001000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33e000-7f49fc33f000 rw-p 00002000 fd:00 202927786                  /usr/lib64/libutil-2.17.so
    7f49fc33f000-7f49fc347000 r-xp 00000000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc347000-7f49fc546000 ---p 00008000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc546000-7f49fc547000 r--p 00007000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc547000-7f49fc548000 rw-p 00008000 fd:00 202924104                  /usr/lib64/libcrypt-2.17.so
    7f49fc548000-7f49fc576000 rw-p 00000000 00:00 0
    7f49fc576000-7f49fc676000 r-xp 00000000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc676000-7f49fc876000 ---p 00100000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc876000-7f49fc877000 r--p 00100000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc877000-7f49fc878000 rw-p 00101000 fd:00 202927063                  /usr/lib64/libm-2.17.so
    7f49fc878000-7f49fc87a000 r-xp 00000000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fc87a000-7f49fca7a000 ---p 00002000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7a000-7f49fca7b000 r--p 00002000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7b000-7f49fca7c000 rw-p 00003000 fd:00 202927059                  /usr/lib64/libdl-2.17.so
    7f49fca7c000-7f49fca92000 r-xp 00000000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fca92000-7f49fcc91000 ---p 00016000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc91000-7f49fcc92000 r--p 00015000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc92000-7f49fcc93000 rw-p 00016000 fd:00 202927076                  /usr/lib64/libnsl-2.17.so
    7f49fcc93000-7f49fcc95000 rw-p 00000000 00:00 0
    7f49fcc95000-7f49fccab000 r-xp 00000000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fccab000-7f49fceab000 ---p 00016000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fceab000-7f49fceac000 r--p 00016000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fceac000-7f49fcead000 rw-p 00017000 fd:00 202927773                  /usr/lib64/libresolv-2.17.so
    7f49fcead000-7f49fceaf000 rw-p 00000000 00:00 0
    7f49fceaf000-7f49fd032000 r-xp 00000000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd032000-7f49fd232000 ---p 00183000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd232000-7f49fd236000 r--p 00183000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd236000-7f49fd23c000 rw-p 00187000 fd:00 3032                       /usr/lib64/perl5/CORE/libperl.so
    7f49fd23c000-7f49fd23d000 rw-p 00000000 00:00 0
    7f49fd23d000-7f49fd25d000 r-xp 00000000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd44a000-7f49fd451000 rw-p 00000000 00:00 0
    7f49fd45b000-7f49fd45c000 rw-p 00000000 00:00 0
    7f49fd45c000-7f49fd45d000 r--p 0001f000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd45d000-7f49fd45e000 rw-p 00020000 fd:00 201385120                  /usr/lib64/ld-2.17.so
    7f49fd45e000-7f49fd45f000 rw-p 00000000 00:00 0
    7ffd3a19c000-7ffd3a1bd000 rw-p 00000000 00:00 0                          [stack]
    7ffd3a1c1000-7ffd3a1c3000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    Time:         Mon Jan 23 10:00:15 2017 +0400
    Account:      useraccount
    Resource:     Process Time
    Exceeded:     182972 > 1800 (seconds)
    Executable:   /usr/bin/perl
    Command Line: [sync_supers]             
    PID:          4613 (Parent PID:4613)
    Killed:       No
    
     
    #1 g18c, Jan 23, 2017
    Last edited by a moderator: Jan 23, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page