"Suspicious process running under user memcached"

[webservers]

Do I need to be concerned?
p.s. I do have memcached installed.

Time:    Sat Apr 11
PID:     2238 (Parent PID:2238)
Account: memcached
Uptime:  214041 seconds


Executable:

/usr/bin/memcached


Command Line (often faked in exploits):

memcached -d -p 11211 -u memcached -m 64 -c 1024 -P /var/run/memcached/memcached.pid


Network connections by the process (if any):

tcp: 0.0.0.0:11211 -> 0.0.0.0:0
tcp6: 0.0.0.0:11211 -> 0.0.0.0:0
udp: 0.0.0.0:11211 -> 0.0.0.0:0
udp6: 0.0.0.0:11211 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
[eventpoll]
[eventpoll]
[eventpoll]
[eventpoll]
[eventpoll]


Memory maps by the process (if any):

00400000-00414000 r-xp 00000000 fd:00 44571291                           /usr/bin/memcached
00614000-00615000 rw-p 00014000 fd:00 44571291                           /usr/bin/memcached
00615000-0061b000 rw-p 00000000 00:00 0
00814000-00816000 rw-p 00014000 fd:00 44571291                           /usr/bin/memcached
015db000-015fc000 rw-p 00000000 00:00 0                                  [heap]
3074000000-3074019000 r-xp 00000000 fd:00 44568433                       /usr/lib64/libevent-1.4.so.2.1.3
3074019000-3074219000 ---p 00019000 fd:00 44568433                       /usr/lib64/libevent-1.4.so.2.1.3
3074219000-307421a000 rw-p 00019000 fd:00 44568433                       /usr/lib64/libevent-1.4.so.2.1.3
307421a000-307421b000 rw-p 00000000 00:00 0
388d800000-388d820000 r-xp 00000000 fd:00 39583787                       /lib64/ld-2.12.so
388da1f000-388da20000 r--p 0001f000 fd:00 39583787                       /lib64/ld-2.12.so
388da20000-388da21000 rw-p 00020000 fd:00 39583787                       /lib64/ld-2.12.so
388da21000-388da22000 rw-p 00000000 00:00 0
388dc00000-388dd8a000 r-xp 00000000 fd:00 39583882                       /lib64/libc-2.12.so
388dd8a000-388df8a000 ---p 0018a000 fd:00 39583882                       /lib64/libc-2.12.so
388df8a000-388df8e000 r--p 0018a000 fd:00 39583882                       /lib64/libc-2.12.so
388df8e000-388df8f000 rw-p 0018e000 fd:00 39583882                       /lib64/libc-2.12.so
388df8f000-388df94000 rw-p 00000000 00:00 0
388e000000-388e017000 r-xp 00000000 fd:00 39584155                       /lib64/libpthread-2.12.so
388e017000-388e217000 ---p 00017000 fd:00 39584155                       /lib64/libpthread-2.12.so
388e217000-388e218000 r--p 00017000 fd:00 39584155                       /lib64/libpthread-2.12.so
388e218000-388e219000 rw-p 00018000 fd:00 39584155                       /lib64/libpthread-2.12.so
388e219000-388e21d000 rw-p 00000000 00:00 0
388e800000-388e807000 r-xp 00000000 fd:00 39584158                       /lib64/librt-2.12.so
388e807000-388ea06000 ---p 00007000 fd:00 39584158                       /lib64/librt-2.12.so
388ea06000-388ea07000 r--p 00006000 fd:00 39584158                       /lib64/librt-2.12.so
388ea07000-388ea08000 rw-p 00007000 fd:00 39584158                       /lib64/librt-2.12.so
388fc00000-388fc16000 r-xp 00000000 fd:00 39584205                       /lib64/libresolv-2.12.so
388fc16000-388fe16000 ---p 00016000 fd:00 39584205                       /lib64/libresolv-2.12.so
388fe16000-388fe17000 r--p 00016000 fd:00 39584205                       /lib64/libresolv-2.12.so
388fe17000-388fe18000 rw-p 00017000 fd:00 39584205                       /lib64/libresolv-2.12.so
388fe18000-388fe1a000 rw-p 00000000 00:00 0
3892800000-3892816000 r-xp 00000000 fd:00 39584198                       /lib64/libnsl-2.12.so
3892816000-3892a15000 ---p 00016000 fd:00 39584198                       /lib64/libnsl-2.12.so
3892a15000-3892a16000 r--p 00015000 fd:00 39584198                       /lib64/libnsl-2.12.so
3892a16000-3892a17000 rw-p 00016000 fd:00 39584198                       /lib64/libnsl-2.12.so
3892a17000-3892a19000 rw-p 00000000 00:00 0
7fabf8000000-7fabf8027000 rw-p 00000000 00:00 0
7fabf8027000-7fabfc000000 ---p 00000000 00:00 0
7fac00000000-7fac00027000 rw-p 00000000 00:00 0
7fac00027000-7fac04000000 ---p 00000000 00:00 0
7fac08000000-7fac08027000 rw-p 00000000 00:00 0
7fac08027000-7fac0c000000 ---p 00000000 00:00 0
7fac10000000-7fac10027000 rw-p 00000000 00:00 0
7fac10027000-7fac14000000 ---p 00000000 00:00 0
7fac1567c000-7fac1567d000 ---p 00000000 00:00 0
7fac1567d000-7fac1607d000 rw-p 00000000 00:00 0
7fac1607d000-7fac1607e000 ---p 00000000 00:00 0
7fac1607e000-7fac16a7e000 rw-p 00000000 00:00 0
7fac16a7e000-7fac16a7f000 ---p 00000000 00:00 0
7fac16a7f000-7fac1747f000 rw-p 00000000 00:00 0
7fac1747f000-7fac17480000 ---p 00000000 00:00 0
7fac17480000-7fac17e80000 rw-p 00000000 00:00 0
7fac17e80000-7fac17e81000 ---p 00000000 00:00 0
7fac17e81000-7fac18902000 rw-p 00000000 00:00 0
7fac18902000-7fac1890e000 r-xp 00000000 fd:00 39583913                   /lib64/libnss_files-2.12.so
7fac1890e000-7fac18b0e000 ---p 0000c000 fd:00 39583913                   /lib64/libnss_files-2.12.so
7fac18b0e000-7fac18b0f000 r--p 0000c000 fd:00 39583913                   /lib64/libnss_files-2.12.so
7fac18b0f000-7fac18b10000 rw-p 0000d000 fd:00 39583913                   /lib64/libnss_files-2.12.so
7fac18b10000-7fac18b15000 rw-p 00000000 00:00 0
7fac18b1e000-7fac18b1f000 rw-p 00000000 00:00 0
7fff1b121000-7fff1b136000 rw-p 00000000 00:00 0                          [stack]
7fff1b141000-7fff1b142000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

 

[team_dale]

What do you get when you run:

lsof -p 2238

 

[24x7server]

Hello,

You are getting this Alert from CSF. LFD sent you warning because memcached process was running from past 214041 seconds. You can ignore it. You should white-list the process by adding the below lines to /etc/csf/csf.pignore and restart LFD.

 

[cPanelMichael]

Hello,

You can safely ignore that warning from LFD if you verify the process is legitimate (Check the process ID).

Thank you.