Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious process running under user mailnull

Discussion in 'E-mail Discussion' started by brock41, Apr 19, 2019.

  1. brock41

    brock41 Registered

    Joined:
    Apr 19, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Reseller Owner
    I think I might have been hacked and I can't figure out how to get rid of this bugger. Here is the log. I've tried to block ip 5.9.xxx.xx using hulk but that doesn't seem to be working.
    Code:
    PID: 20829 (Parent PID:6201)
    Account: mailnull
    Uptime: 7322 seconds
    
    
    Executable:
    
    /usr/local/cpanel/3rdparty/perl/528/bin/perl
    
    
    Command Line (often faked in exploits):
    
    MailScanner: waiting for messages
    
    
    Network connections by the process (if any):
    
    udp: 82.221.xxx.x:36115 -> 5.9.xxx.xx:24441
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /usr/mailscanner/usr/share/MailScanner/perl/MailScanner/CustomConfig.pm
    /usr/mailscanner/usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
    /usr/mailscanner/usr/share/MailScanner/perl/custom/GenericSpamScanner.pm
    /var/spool/MailScanner/incoming/SpamAssassin.cache.db
    
    
    Memory maps by the process (if any):
    
    00400000-00402000 r-xp 00000000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
    00601000-00602000 r--p 00001000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
    00602000-00603000 rw-p 00002000 08:02 10488360 /usr/local/cpanel/3rdparty/perl/528/bin/perl
    01d21000-0405a000 rw-p 00000000 00:00 0 [heap]
    0405a000-09b9e000 rw-p 00000000 00:00 0 [heap]
    7f7596d6a000-7f7596dc6000 r-xp 00000000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
    7f7596dc6000-7f7596fc6000 ---p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
    7f7596fc6000-7f7596fcd000 r--p 0005c000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
    7f7596fcd000-7f7596fd0000 rw-p 00063000 08:02 11536275 /usr/local/cpanel/3rdparty/lib/mariadb/libmariadb.so.3
    7f7596fd0000-7f7596fd1000 rw-p 00000000 00:00 0
    7f7596fd1000-7f7596fe9000 r-xp 00000000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
    7f7596fe9000-7f75971e9000 ---p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
    7f75971e9000-7f75971eb000 r--p 00018000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
    7f75971eb000-7f75971ec000 rw-p 0001a000 08:02 13239742 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/DBD/mysql/mysql.so
    7f75971ec000-7f75971ef000 r-xp 00000000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
    7f75971ef000-7f75973ee000 ---p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
    7f75973ee000-7f75973ef000 r--p 00002000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
    7f75973ef000-7f75973f0000 rw-p 00003000 08:02 13370951 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/PerlIO/scalar/scalar.so
    7f75973f0000-7f75973f4000 r-xp 00000000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
    7f75973f4000-7f75975f3000 ---p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
    7f75975f3000-7f75975f4000 r--p 00003000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
    7f75975f4000-7f75975f5000 rw-p 00004000 08:02 13370965 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/5.28.0/x86_64-linux-64int/auto/mro/mro.so
    7f75975f5000-7f75975fc000 r-xp 00000000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    7f75975fc000-7f75977fb000 ---p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    7f75977fb000-7f75977fc000 r--p 00006000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    7f75977fc000-7f75977fd000 rw-p 00007000 08:02 12977800 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    7f75977fd000-7f7597805000 r-xp 00000000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    7f7597805000-7f7597a04000 ---p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    7f7597a04000-7f7597a05000 r--p 00007000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    7f7597a05000-7f7597a06000 rw-p 00008000 08:02 13240255 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    7f7597a06000-7f7597abd000 rw-p 00000000 00:00 0
    7f7597b50000-7f7597b54000 rw-p 00000000 00:00 0
    7f7597bcb000-7f7597bcf000 rw-p 00000000 00:00 0
    7f7597c46000-7f7597d66000 r-xp 00000000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    7f7597d66000-7f7597f65000 ---p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    7f7597f65000-7f7597f66000 r--p 0011f000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    7f7597f66000-7f7597f67000 rw-p 00120000 08:02 13371931 /var/lib/spamassassin/compiled/5.028/3.004002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    7f7597f67000-7f7597f6a000 r-xp 00000000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
    7f7597f6a000-7f759816a000 ---p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
    7f759816a000-7f759816b000 r--p 00003000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
    7f759816b000-7f759816c000 rw-p 00004000 08:02 13107319 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/BSD/Resource/Resource.so
    7f759816c000-7f75981ed000 rw-p 00000000 00:00 0
    7f75981ed000-7f759824d000 r-xp 00000000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
    7f759824d000-7f759844d000 ---p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
    7f759844d000-7f759844e000 r--p 00060000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
    7f759844e000-7f759844f000 rw-p 00061000 08:02 8392426 /usr/lib64/libpcre.so.1.2.0
    7f759844f000-7f7598473000 r-xp 00000000 08:02 8392408 /usr/lib64/libselinux.so.1
    7f7598473000-7f7598672000 ---p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
    7f7598672000-7f7598673000 r--p 00023000 08:02 8392408 /usr/lib64/libselinux.so.1
    7f7598673000-7f7598674000 rw-p 00024000 08:02 8392408 /usr/lib64/libselinux.so.1
    7f7598674000-7f7598676000 rw-p 00000000 00:00 0
    7f7598676000-7f759868c000 r-xp 00000000 08:02 8397331 /usr/lib64/libresolv-2.17.so
    7f759868c000-7f759888b000 ---p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
    7f759888b000-7f759888c000 r--p 00015000 08:02 8397331 /usr/lib64/libresolv-2.17.so
    7f759888c000-7f759888d000 rw-p 00016000 08:02 8397331 /usr/lib64/libresolv-2.17.so
    7f759888d000-7f759888f000 rw-p 00000000 00:00 0
    7f759888f000-7f7598892000 r-xp 00000000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
    7f7598892000-7f7598a91000 ---p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
    7f7598a91000-7f7598a92000 r--p 00002000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
    7f7598a92000-7f7598a93000 rw-p 00003000 08:02 8392535 /usr/lib64/libkeyutils.so.1.5
    7f7598a93000-7f7598aa1000 r-xp 00000000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
    7f7598aa1000-7f7598ca1000 ---p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
    7f7598ca1000-7f7598ca2000 r--p 0000e000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
    7f7598ca2000-7f7598ca3000 rw-p 0000f000 08:02 8392778 /usr/lib64/libkrb5support.so.0.1
    7f7598ca3000-7f7598cd4000 r-xp 00000000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
    7f7598cd4000-7f7598ed3000 ---p 00031000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
    7f7598ed3000-7f7598ed5000 r--p 00030000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
    7f7598ed5000-7f7598ed6000 rw-p 00032000 08:02 8392770 /usr/lib64/libk5crypto.so.3.1
    7f7598ed6000-7f7598ed9000 r-xp 00000000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
    7f7598ed9000-7f75990d8000 ---p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
    7f75990d8000-7f75990d9000 r--p 00002000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
    7f75990d9000-7f75990da000 rw-p 00003000 08:02 8392321 /usr/lib64/libcom_err.so.2.1
    7f75990da000-7f75991b3000 r-xp 00000000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
    7f75991b3000-7f75993b2000 ---p 000d9000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
    7f75993b2000-7f75993c0000 r--p 000d8000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
    7f75993c0000-7f75993c3000 rw-p 000e6000 08:02 8392776 /usr/lib64/libkrb5.so.3.3
    7f75993c3000-7f759940d000 r-xp 00000000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
    7f759940d000-7f759960d000 ---p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
    7f759960d000-7f759960e000 r--p 0004a000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
    7f759960e000-7f7599610000 rw-p 0004b000 08:02 8392380 /usr/lib64/libgssapi_krb5.so.2.2
    7f7599610000-7f7599625000 r-xp 00000000 08:02 8392314 /usr/lib64/libz.so.1.2.7
    7f7599625000-7f7599824000 ---p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
    7f7599824000-7f7599825000 r--p 00014000 08:02 8392314 /usr/lib64/libz.so.1.2.7
    7f7599825000-7f7599826000 rw-p 00015000 08:02 8392314 /usr/lib64/libz.so.1.2.7
    7f7599826000-7f7599a5b000 r-xp 00000000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
    7f7599a5b000-7f7599c5b000 ---p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
    7f7599c5b000-7f7599c77000 r--p 00235000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
    7f7599c77000-7f7599c84000 rw-p 00251000 08:02 8392555 /usr/lib64/libcrypto.so.1.0.2k
    7f7599c84000-7f7599c88000 rw-p 00000000 00:00 0
    7f7599c88000-7f7599cef000 r-xp 00000000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
    7f7599cef000-7f7599eef000 ---p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
    7f7599eef000-7f7599ef3000 r--p 00067000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
    7f7599ef3000-7f7599efa000 rw-p 0006b000 08:02 8397733 /usr/lib64/libssl.so.1.0.2k
    7f7599efa000-7f7599f56000 r-xp 00000000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
    7f7599f56000-7f759a155000 ---p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
    7f759a155000-7f759a156000 r--p 0005b000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
    7f759a156000-7f759a158000 rw-p 0005c000 08:02 12192786 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Net/SSLeay/SSLeay.so
    7f759a158000-7f759a15c000 r-xp 00000000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
    7f759a15c000-7f759a35b000 ---p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
    7f759a35b000-7f759a35c000 r--p 00003000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
    7f759a35c000-7f759a35d000 rw-p 00004000 08:02 13239709 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Razor2/Preproc/deHTMLxs/deHTMLxs.so
    7f759a35d000-7f759a361000 r-xp 00000000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
    7f759a361000-7f759a560000 ---p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
    7f759a560000-7f759a561000 r--p 00003000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
    7f759a561000-7f759a562000 rw-p 00004000 08:02 12065669 /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/x86_64-linux-64int/auto/Digest/SHA1/SHA1.so
    7f759a562000-7f759a5bc000 rw-p 00000000 00:00 0
    
    7f75a684e000-7f75a6852000 rw-p 00000000 00:00 0
    7f75a68c9000-7f75a6924000 rw-p 00000000 00:00 0
    7f75a6924000-7f75a6928000 rw-p 00000000 00:00 0
    7f75a693f000-7f75a699f000 rw-p 00000000 00:00 0
    7f75a699f000-7f75a69a1000 rw-p 00000000 00:00 0
    7f75a69b3000-7f75a69b5000 rw-p 00000000 00:00 0 
    
     
    #1 brock41, Apr 19, 2019
    Last edited by a moderator: Apr 19, 2019
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,367
    Likes Received:
    151
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    The process you have included appears to be mailscanner which by itself is fine and worth of an exception I your csf ignore file.

    That doesn't necessarily mean that you were not hacked though, but if so the evidence would be elsewhere.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. brock41

    brock41 Registered

    Joined:
    Apr 19, 2019
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Reseller Owner
    Would mailscanner consistently try to connect to IP address 5.9.xxx.xx through port 24441? I have 18 emails from today of that same log. The same IP address and same port number.
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,367
    Likes Received:
    151
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    I never use mailscanner, so I can't really comment for sure, but is that port open in your firewall for outbound connections? It may be checking some list, blocklist, abuse list, etc, I really don't know.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,766
    Likes Received:
    440
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @brock41
    The IP it's connecting to belongs to the Spam Filtering service SpamExperts. This is normal behavior and none of this looks suspicious from what's been provided thus far. As suggested by @GOT I'd add the mailnull process to the csf ignore list to stop notifications for this specific issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice