Suspicious process running under user mailnull

brock41 · Apr 19, 2019

I think I might have been hacked and I can't figure out how to get rid of this bugger. Here is the log. I've tried to block ip 5.9.xxx.xx using hulk but that doesn't seem to be working.

Code:

PID: 20829 (Parent PID:6201)
Account: mailnull
Uptime: 7322 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/528/bin/perl


Command Line (often faked in exploits):

MailScanner: waiting for messages


Network connections by the process (if any):

udp: 82.221.xxx.x:36115 -> 5.9.xxx.xx:24441


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/mailscanner/usr/share/MailScanner/perl/MailScanner/CustomConfig.pm
/usr/mailscanner/usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
/usr/mailscanner/usr/share/MailScanner/perl/custom/GenericSpamScanner.pm
/var/spool/MailScanner/incoming/SpamAssassin.cache.db


Memory maps by the process (if any):

00400000-00402000 r-xp 00000000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
00601000-00602000 r--p 00001000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
00602000-00603000 rw-p 00002000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
01d21000-0405a000 rw-p 00000000 00:00 0 [heap]
0405a000-09b9e000 rw-p 00000000 00:00 0 [heap]
7f7596d6a000-7f7596dc6000 r-xp 00000000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596dc6000-7f7596fc6000 ---p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fc6000-7f7596fcd000 r--p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fcd000-7f7596fd0000 rw-p 00063000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fd0000-7f7596fd1000 rw-p 00000000 00:00 0
7f7596fd1000-7f7596fe9000 r-xp 00000000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f7596fe9000-7f75971e9000 ---p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971e9000-7f75971eb000 r--p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971eb000-7f75971ec000 rw-p 0001a000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971ec000-7f75971ef000 r-xp 00000000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75971ef000-7f75973ee000 ---p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973ee000-7f75973ef000 r--p 00002000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973ef000-7f75973f0000 rw-p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973f0000-7f75973f4000 r-xp 00000000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75973f4000-7f75975f3000 ---p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f3000-7f75975f4000 r--p 00003000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f4000-7f75975f5000 rw-p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f5000-7f75975fc000 r-xp 00000000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75975fc000-7f75977fb000 ---p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fb000-7f75977fc000 r--p 00006000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fc000-7f75977fd000 rw-p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fd000-7f7597805000 r-xp 00000000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597805000-7f7597a04000 ---p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a04000-7f7597a05000 r--p 00007000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a05000-7f7597a06000 rw-p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a06000-7f7597abd000 rw-p 00000000 00:00 0
7f7597b50000-7f7597b54000 rw-p 00000000 00:00 0
7f7597bcb000-7f7597bcf000 rw-p 00000000 00:00 0
7f7597c46000-7f7597d66000 r-xp 00000000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597d66000-7f7597f65000 ---p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f65000-7f7597f66000 r--p 0011f000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f66000-7f7597f67000 rw-p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f67000-7f7597f6a000 r-xp 00000000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f7597f6a000-7f759816a000 ---p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816a000-7f759816b000 r--p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816b000-7f759816c000 rw-p 00004000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816c000-7f75981ed000 rw-p 00000000 00:00 0
7f75981ed000-7f759824d000 r-xp 00000000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759824d000-7f759844d000 ---p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844d000-7f759844e000 r--p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844e000-7f759844f000 rw-p 00061000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844f000-7f7598473000 r-xp 00000000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598473000-7f7598672000 ---p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598672000-7f7598673000 r--p 00023000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598673000-7f7598674000 rw-p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598674000-7f7598676000 rw-p 00000000 00:00 0
7f7598676000-7f759868c000 r-xp 00000000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759868c000-7f759888b000 ---p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888b000-7f759888c000 r--p 00015000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888c000-7f759888d000 rw-p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888d000-7f759888f000 rw-p 00000000 00:00 0
7f759888f000-7f7598892000 r-xp 00000000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598892000-7f7598a91000 ---p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a91000-7f7598a92000 r--p 00002000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a92000-7f7598a93000 rw-p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a93000-7f7598aa1000 r-xp 00000000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598aa1000-7f7598ca1000 ---p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca1000-7f7598ca2000 r--p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca2000-7f7598ca3000 rw-p 0000f000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca3000-7f7598cd4000 r-xp 00000000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598cd4000-7f7598ed3000 ---p 00031000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed3000-7f7598ed5000 r--p 00030000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed5000-7f7598ed6000 rw-p 00032000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed6000-7f7598ed9000 r-xp 00000000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f7598ed9000-7f75990d8000 ---p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990d8000-7f75990d9000 r--p 00002000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990d9000-7f75990da000 rw-p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990da000-7f75991b3000 r-xp 00000000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75991b3000-7f75993b2000 ---p 000d9000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993b2000-7f75993c0000 r--p 000d8000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993c0000-7f75993c3000 rw-p 000e6000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993c3000-7f759940d000 r-xp 00000000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759940d000-7f759960d000 ---p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759960d000-7f759960e000 r--p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759960e000-7f7599610000 rw-p 0004b000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f7599610000-7f7599625000 r-xp 00000000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599625000-7f7599824000 ---p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599824000-7f7599825000 r--p 00014000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599825000-7f7599826000 rw-p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599826000-7f7599a5b000 r-xp 00000000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599a5b000-7f7599c5b000 ---p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c5b000-7f7599c77000 r--p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c77000-7f7599c84000 rw-p 00251000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c84000-7f7599c88000 rw-p 00000000 00:00 0
7f7599c88000-7f7599cef000 r-xp 00000000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599cef000-7f7599eef000 ---p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599eef000-7f7599ef3000 r--p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599ef3000-7f7599efa000 rw-p 0006b000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599efa000-7f7599f56000 r-xp 00000000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f7599f56000-7f759a155000 ---p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a155000-7f759a156000 r--p 0005b000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a156000-7f759a158000 rw-p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a158000-7f759a15c000 r-xp 00000000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a15c000-7f759a35b000 ---p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35b000-7f759a35c000 r--p 00003000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35c000-7f759a35d000 rw-p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35d000-7f759a361000 r-xp 00000000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a361000-7f759a560000 ---p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a560000-7f759a561000 r--p 00003000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a561000-7f759a562000 rw-p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a562000-7f759a5bc000 rw-p 00000000 00:00 0

7f75a684e000-7f75a6852000 rw-p 00000000 00:00 0
7f75a68c9000-7f75a6924000 rw-p 00000000 00:00 0
7f75a6924000-7f75a6928000 rw-p 00000000 00:00 0
7f75a693f000-7f75a699f000 rw-p 00000000 00:00 0
7f75a699f000-7f75a69a1000 rw-p 00000000 00:00 0
7f75a69b3000-7f75a69b5000 rw-p 00000000 00:00 0

GOT · Apr 19, 2019

The process you have included appears to be mailscanner which by itself is fine and worth of an exception I your csf ignore file.

That doesn't necessarily mean that you were not hacked though, but if so the evidence would be elsewhere.

brock41 · Apr 19, 2019

Would mailscanner consistently try to connect to IP address 5.9.xxx.xx through port 24441? I have 18 emails from today of that same log. The same IP address and same port number.

GOT · Apr 19, 2019

I never use mailscanner, so I can't really comment for sure, but is that port open in your firewall for outbound connections? It may be checking some list, blocklist, abuse list, etc, I really don't know.

cPanelLauren · Apr 22, 2019

@brock41
The IP it's connecting to belongs to the Spam Filtering service SpamExperts. This is normal behavior and none of this looks suspicious from what's been provided thus far. As suggested by @GOT I'd add the mailnull process to the csf ignore list to stop notifications for this specific issue.

Thread starter	Similar threads	Forum	Replies	Date
M	Suspicious process running under user cpanelroundcube	Email	7	Jan 16, 2019
L	Hunspell... Suspicious process / Excessive resource	Email	7	Oct 8, 2015
J	A suspicious process?	Email	2	Aug 26, 2009
W	WHM emails.. Suspicious process running under user XXXX	Email	2	Aug 28, 2008
H	suspicious process mail every hour..	Email	1	Aug 24, 2008

Search

Search

Suspicious process running under user mailnull

brock41

Registered

GOT

Get Proactive!

brock41

Registered

GOT

Get Proactive!

cPanelLauren

Product Owner II