The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user [account]

Discussion in 'General Discussion' started by foxphiles, Sep 16, 2008.

  1. foxphiles

    foxphiles Member

    Joined:
    Feb 29, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    hi,

    i've got an e-mail Suspicious process running under user [customer account] twice already, can anyone tell me what exactly running under the process.

    here's the message.

    -----------------------------------------------------------

    Time: Tue Sep 16 23:23:08 2008 +0700
    PID: 16965
    Account: [customer account]
    Uptime: 84 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    /usr/bin/perl -w check.cgi


    Network connections by the process (if any):

    tcp: my ip address:56341 -> 194.67.23.111:25


    Files open by the process (if any):



    Memory maps by the process (if any):

    00400000-00403000 r-xp 00000000 08:01 28025764 /usr/bin/perl
    00602000-00604000 rw-p 00002000 08:01 28025764 /usr/bin/perl
    06263000-0659d000 rw-p 06263000 00:00 0
    34e5e00000-34e5e1a000 r-xp 00000000 08:01 26345537 /lib64/ld-2.5.so
    34e601a000-34e601b000 r--p 0001a000 08:01 26345537 /lib64/ld-2.5.so
    34e601b000-34e601c000 rw-p 0001b000 08:01 26345537 /lib64/ld-2.5.so
    34e6200000-34e634a000 r-xp 00000000 08:01 26345540 /lib64/libc-2.5.so
    34e634a000-34e6549000 ---p 0014a000 08:01 26345540 /lib64/libc-2.5.so
    34e6549000-34e654d000 r--p 00149000 08:01 26345540 /lib64/libc-2.5.so
    34e654d000-34e654e000 rw-p 0014d000 08:01 26345540 /lib64/libc-2.5.so
    34e654e000-34e6553000 rw-p 34e654e000 00:00 0
    34e6600000-34e6602000 r-xp 00000000 08:01 26345686 /lib64/libdl-2.5.so
    34e6602000-34e6802000 ---p 00002000 08:01 26345686 /lib64/libdl-2.5.so
    34e6802000-34e6803000 r--p 00002000 08:01 26345686 /lib64/libdl-2.5.so
    34e6803000-34e6804000 rw-p 00003000 08:01 26345686 /lib64/libdl-2.5.so
    34e6a00000-34e6a15000 r-xp 00000000 08:01 26345699 /lib64/libpthread-2.5.so
    34e6a15000-34e6c14000 ---p 00015000 08:01 26345699 /lib64/libpthread-2.5.so
    34e6c14000-34e6c15000 r--p 00014000 08:01 26345699 /lib64/libpthread-2.5.so
    34e6c15000-34e6c16000 rw-p 00015000 08:01 26345699 /lib64/libpthread-2.5.so
    34e6c16000-34e6c1a000 rw-p 34e6c16000 00:00 0
    34e6e00000-34e6e82000 r-xp 00000000 08:01 26345542 /lib64/libm-2.5.so
    34e6e82000-34e7081000 ---p 00082000 08:01 26345542 /lib64/libm-2.5.so
    34e7081000-34e7082000 r--p 00081000 08:01 26345542 /lib64/libm-2.5.so
    34e7082000-34e7083000 rw-p 00082000 08:01 26345542 /lib64/libm-2.5.so
    34e7e00000-34e7e09000 r-xp 00000000 08:01 26345694 /lib64/libcrypt-2.5.so
    34e7e09000-34e8008000 ---p 00009000 08:01 26345694 /lib64/libcrypt-2.5.so
    34e8008000-34e8009000 r--p 00008000 08:01 26345694 /lib64/libcrypt-2.5.so
    34e8009000-34e800a000 rw-p 00009000 08:01 26345694 /lib64/libcrypt-2.5.so
    34e800a000-34e8038000 rw-p 34e800a000 00:00 0
    34e8200000-34e8215000 r-xp 00000000 08:01 26345682 /lib64/libnsl-2.5.so
    34e8215000-34e8414000 ---p 00015000 08:01 26345682 /lib64/libnsl-2.5.so
    34e8414000-34e8415000 r--p 00014000 08:01 26345682 /lib64/libnsl-2.5.so
    34e8415000-34e8416000 rw-p 00015000 08:01 26345682 /lib64/libnsl-2.5.so
    34e8416000-34e8418000 rw-p 34e8416000 00:00 0
    34e8a00000-34e8a11000 r-xp 00000000 08:01 26345684 /lib64/libresolv-2.5.so
    34e8a11000-34e8c11000 ---p 00011000 08:01 26345684 /lib64/libresolv-2.5.so
    34e8c11000-34e8c12000 r--p 00011000 08:01 26345684 /lib64/libresolv-2.5.so
    34e8c12000-34e8c13000 rw-p 00012000 08:01 26345684 /lib64/libresolv-2.5.so
    34e8c13000-34e8c15000 rw-p 34e8c13000 00:00 0
    34eba00000-34ebb2b000 r-xp 00000000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
    34ebb2b000-34ebd2a000 ---p 0012b000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
    34ebd2a000-34ebd33000 rw-p 0012a000 08:01 28149033 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
    34ebd33000-34ebd35000 rw-p 34ebd33000 00:00 0
    34ee200000-34ee202000 r-xp 00000000 08:01 26345696 /lib64/libutil-2.5.so
    34ee202000-34ee401000 ---p 00002000 08:01 26345696 /lib64/libutil-2.5.so
    34ee401000-34ee402000 r--p 00001000 08:01 26345696 /lib64/libutil-2.5.so
    34ee402000-34ee403000 rw-p 00002000 08:01 26345696 /lib64/libutil-2.5.so
    2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0
    2aaaaaaba000-2aaaaaadf000 rw-p 2aaaaaaba000 00:00 0
    2aaaaaadf000-2aaaaaafb000 r-xp 00000000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
    2aaaaaafb000-2aaaaacfa000 ---p 0001c000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
    2aaaaacfa000-2aaaaacfb000 rw-p 0001b000 08:01 28180516 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/POSIX/POSIX.so
    2aaaaacfb000-2aaaaacfd000 r-xp 00000000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    2aaaaacfd000-2aaaaaefc000 ---p 00002000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    2aaaaaefc000-2aaaaaefd000 rw-p 00001000 08:01 28180705 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    2aaaaaefd000-2aaaaaf01000 r-xp 00000000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
    2aaaaaf01000-2aaaab100000 ---p 00004000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
    2aaaab100000-2aaaab101000 rw-p 00003000 08:01 28180503 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
    2aaaab101000-2aaaab106000 r-xp 00000000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
    2aaaab106000-2aaaab305000 ---p 00005000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
    2aaaab305000-2aaaab306000 rw-p 00004000 08:01 28180678 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
    2aaaab313000-2aaaab31d000 r-xp 00000000 08:01 26345499 /lib64/libnss_files-2.5.so
    2aaaab31d000-2aaaab51c000 ---p 0000a000 08:01 26345499 /lib64/libnss_files-2.5.so
    2aaaab51c000-2aaaab51d000 r--p 00009000 08:01 26345499 /lib64/libnss_files-2.5.so
    2aaaab51d000-2aaaab51e000 rw-p 0000a000 08:01 26345499 /lib64/libnss_files-2.5.so
    2aaaab51e000-2aaaab522000 r-xp 00000000 08:01 26345497 /lib64/libnss_dns-2.5.so
    2aaaab522000-2aaaab721000 ---p 00004000 08:01 26345497 /lib64/libnss_dns-2.5.so
    2aaaab721000-2aaaab722000 r--p 00003000 08:01 26345497 /lib64/libnss_dns-2.5.so
    2aaaab722000-2aaaab723000 rw-p 00004000 08:01 26345497 /lib64/libnss_dns-2.5.so
    7fffadeb0000-7fffadec5000 rw-p 7fffadeb0000 00:00 0 [stack]
    ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
    -------------------------------------------------------------------------------
    :)
    thanks in advance.
     
    #1 foxphiles, Sep 16, 2008
    Last edited: Sep 16, 2008
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'd do better to ask over at configserver forums where support for CSF is provided. You might check your server for the file named check.cgi and inspect it.
     
  3. foxphiles

    foxphiles Member

    Joined:
    Feb 29, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    thanks i'd do that. ^^
     
  4. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    A lookup of the IP address is smtp.mail.ru :25 is smtp port.

    I would guess that the check.cgi script (which was running for 84 seconds) was used to validate the form input from someone of their IP address.

    The reason it is running for this time could be many - such as the remote server taking a long time to respond or a script that does not correctly terminate the smtp connection, or several other things.
     
Loading...

Share This Page