Suspicious process running under user mailnull

brock41

Registered
Apr 19, 2019
2
0
1
United States
cPanel Access Level
Reseller Owner
I think I might have been hacked and I can't figure out how to get rid of this bugger. Here is the log. I've tried to block ip 5.9.xxx.xx using hulk but that doesn't seem to be working.
Code:
PID: 20829 (Parent PID:6201)
Account: mailnull
Uptime: 7322 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/528/bin/perl


Command Line (often faked in exploits):

MailScanner: waiting for messages


Network connections by the process (if any):

udp: 82.221.xxx.x:36115 -> 5.9.xxx.xx:24441


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/mailscanner/usr/share/MailScanner/perl/MailScanner/CustomConfig.pm
/usr/mailscanner/usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
/usr/mailscanner/usr/share/MailScanner/perl/custom/GenericSpamScanner.pm
/var/spool/MailScanner/incoming/SpamAssassin.cache.db


Memory maps by the process (if any):

00400000-00402000 r-xp 00000000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
00601000-00602000 r--p 00001000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
00602000-00603000 rw-p 00002000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
01d21000-0405a000 rw-p 00000000 00:00 0 [heap]
0405a000-09b9e000 rw-p 00000000 00:00 0 [heap]
7f7596d6a000-7f7596dc6000 r-xp 00000000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596dc6000-7f7596fc6000 ---p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fc6000-7f7596fcd000 r--p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fcd000-7f7596fd0000 rw-p 00063000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
7f7596fd0000-7f7596fd1000 rw-p 00000000 00:00 0
7f7596fd1000-7f7596fe9000 r-xp 00000000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f7596fe9000-7f75971e9000 ---p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971e9000-7f75971eb000 r--p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971eb000-7f75971ec000 rw-p 0001a000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
7f75971ec000-7f75971ef000 r-xp 00000000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75971ef000-7f75973ee000 ---p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973ee000-7f75973ef000 r--p 00002000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973ef000-7f75973f0000 rw-p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
7f75973f0000-7f75973f4000 r-xp 00000000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75973f4000-7f75975f3000 ---p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f3000-7f75975f4000 r--p 00003000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f4000-7f75975f5000 rw-p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
7f75975f5000-7f75975fc000 r-xp 00000000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75975fc000-7f75977fb000 ---p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fb000-7f75977fc000 r--p 00006000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fc000-7f75977fd000 rw-p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
7f75977fd000-7f7597805000 r-xp 00000000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597805000-7f7597a04000 ---p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a04000-7f7597a05000 r--p 00007000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a05000-7f7597a06000 rw-p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
7f7597a06000-7f7597abd000 rw-p 00000000 00:00 0
7f7597b50000-7f7597b54000 rw-p 00000000 00:00 0
7f7597bcb000-7f7597bcf000 rw-p 00000000 00:00 0
7f7597c46000-7f7597d66000 r-xp 00000000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597d66000-7f7597f65000 ---p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f65000-7f7597f66000 r--p 0011f000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f66000-7f7597f67000 rw-p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
7f7597f67000-7f7597f6a000 r-xp 00000000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f7597f6a000-7f759816a000 ---p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816a000-7f759816b000 r--p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816b000-7f759816c000 rw-p 00004000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
7f759816c000-7f75981ed000 rw-p 00000000 00:00 0
7f75981ed000-7f759824d000 r-xp 00000000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759824d000-7f759844d000 ---p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844d000-7f759844e000 r--p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844e000-7f759844f000 rw-p 00061000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
7f759844f000-7f7598473000 r-xp 00000000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598473000-7f7598672000 ---p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598672000-7f7598673000 r--p 00023000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598673000-7f7598674000 rw-p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
7f7598674000-7f7598676000 rw-p 00000000 00:00 0
7f7598676000-7f759868c000 r-xp 00000000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759868c000-7f759888b000 ---p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888b000-7f759888c000 r--p 00015000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888c000-7f759888d000 rw-p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
7f759888d000-7f759888f000 rw-p 00000000 00:00 0
7f759888f000-7f7598892000 r-xp 00000000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598892000-7f7598a91000 ---p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a91000-7f7598a92000 r--p 00002000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a92000-7f7598a93000 rw-p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
7f7598a93000-7f7598aa1000 r-xp 00000000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598aa1000-7f7598ca1000 ---p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca1000-7f7598ca2000 r--p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca2000-7f7598ca3000 rw-p 0000f000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
7f7598ca3000-7f7598cd4000 r-xp 00000000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598cd4000-7f7598ed3000 ---p 00031000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed3000-7f7598ed5000 r--p 00030000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed5000-7f7598ed6000 rw-p 00032000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
7f7598ed6000-7f7598ed9000 r-xp 00000000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f7598ed9000-7f75990d8000 ---p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990d8000-7f75990d9000 r--p 00002000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990d9000-7f75990da000 rw-p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
7f75990da000-7f75991b3000 r-xp 00000000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75991b3000-7f75993b2000 ---p 000d9000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993b2000-7f75993c0000 r--p 000d8000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993c0000-7f75993c3000 rw-p 000e6000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
7f75993c3000-7f759940d000 r-xp 00000000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759940d000-7f759960d000 ---p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759960d000-7f759960e000 r--p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f759960e000-7f7599610000 rw-p 0004b000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
7f7599610000-7f7599625000 r-xp 00000000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599625000-7f7599824000 ---p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599824000-7f7599825000 r--p 00014000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599825000-7f7599826000 rw-p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
7f7599826000-7f7599a5b000 r-xp 00000000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599a5b000-7f7599c5b000 ---p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c5b000-7f7599c77000 r--p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c77000-7f7599c84000 rw-p 00251000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
7f7599c84000-7f7599c88000 rw-p 00000000 00:00 0
7f7599c88000-7f7599cef000 r-xp 00000000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599cef000-7f7599eef000 ---p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599eef000-7f7599ef3000 r--p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599ef3000-7f7599efa000 rw-p 0006b000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
7f7599efa000-7f7599f56000 r-xp 00000000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f7599f56000-7f759a155000 ---p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a155000-7f759a156000 r--p 0005b000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a156000-7f759a158000 rw-p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
7f759a158000-7f759a15c000 r-xp 00000000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a15c000-7f759a35b000 ---p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35b000-7f759a35c000 r--p 00003000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35c000-7f759a35d000 rw-p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
7f759a35d000-7f759a361000 r-xp 00000000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a361000-7f759a560000 ---p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a560000-7f759a561000 r--p 00003000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a561000-7f759a562000 rw-p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
7f759a562000-7f759a5bc000 rw-p 00000000 00:00 0

7f75a684e000-7f75a6852000 rw-p 00000000 00:00 0
7f75a68c9000-7f75a6924000 rw-p 00000000 00:00 0
7f75a6924000-7f75a6928000 rw-p 00000000 00:00 0
7f75a693f000-7f75a699f000 rw-p 00000000 00:00 0
7f75a699f000-7f75a69a1000 rw-p 00000000 00:00 0
7f75a69b3000-7f75a69b5000 rw-p 00000000 00:00 0
 
Last edited by a moderator:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
302
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
The process you have included appears to be mailscanner which by itself is fine and worth of an exception I your csf ignore file.

That doesn't necessarily mean that you were not hacked though, but if so the evidence would be elsewhere.
 

brock41

Registered
Apr 19, 2019
2
0
1
United States
cPanel Access Level
Reseller Owner
Would mailscanner consistently try to connect to IP address 5.9.xxx.xx through port 24441? I have 18 emails from today of that same log. The same IP address and same port number.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,739
302
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
I never use mailscanner, so I can't really comment for sure, but is that port open in your firewall for outbound connections? It may be checking some list, blocklist, abuse list, etc, I really don't know.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,254
313
Houston
@brock41
The IP it's connecting to belongs to the Spam Filtering service SpamExperts. This is normal behavior and none of this looks suspicious from what's been provided thus far. As suggested by @GOT I'd add the mailnull process to the csf ignore list to stop notifications for this specific issue.