The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user nobody

Discussion in 'Security' started by smithster, Aug 17, 2010.

  1. smithster

    smithster Member

    Joined:
    Aug 7, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I am receiving this email every minute, have had hundreds now!

    The part that says (some_domain) is a replacement of the actual domain!

    Hope someone can advise me what to do please!!

    Time: Tue Aug 17 22:33:58 2010 +0100
    PID: 3317 <---This seems to change a lot
    Account: nobody
    Uptime: 968 seconds


    Executable:

    (deleted) /usr/local/apache/bin/httpd

    The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


    Command Line (often faked in exploits):

    /usr/local/apache/bin/httpd -k start -DSSL


    Network connections by the process (if any):

    tcp: 0.0.0.0:80 -> 0.0.0.0:0
    tcp: 0.0.0.0:443 -> 0.0.0.0:0


    Files open by the process (if any):

    /dev/null
    /dev/null
    /usr/local/apache/logs/error_log
    /usr/local/apache/logs/modsec_audit.log
    /var/cpanel/locale/en.gdbm
    /usr/local/apache/logs/modsec_debug_log
    /usr/local/apache/logs/access_log
    /usr/local/apache/domlogs/_wildcard_.(some_domain)
    /usr/local/apache/domlogs/_wildcard_.(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    /usr/local/apache/domlogs/(some_domain)
    /usr/local/apache/domlogs/(some_domain)-bytes_log
    (deleted) /usr/local/apache/logs/ssl_mutex
    /dev/urandom
    eventpoll:[291813494]


    Memory maps by the process (if any):

    08048000-08127000 r-xp 00000000 08:03 106401929 (deleted) /usr/local/apache/bin/httpd
    08127000-0812b000 rwxp 000de000 08:03 106401929 (deleted) /usr/local/apache/bin/httpd
    0812b000-08130000 rwxp 0812b000 00:00 0
    099e3000-09caa000 rwxp 099e3000 00:00 0 [heap]
    b7677000-b768b000 rwxs 00000000 00:84 291808134
    b768b000-b7695000 r-xp 00000000 08:03 101580972 /lib/libnss_files-2.5.so
    b7695000-b7696000 r-xp 00009000 08:03 101580972 /lib/libnss_files-2.5.so
    b7696000-b7697000 rwxp 0000a000 08:03 101580972 /lib/libnss_files-2.5.so
    b7697000-b76d5000 r-xp 00000000 08:03 106403017 (deleted) /usr/local/apache/modules/mod_security2.so
    b76d5000-b76d7000 rwxp 0003e000 08:03 106403017 (deleted) /usr/local/apache/modules/mod_security2.so
    b76d7000-b7701000 r-xp 00000000 08:03 104467272 /opt/lua/lib/liblua-5.1.3.so
    b7701000-b7702000 rwxp 00029000 08:03 104467272 /opt/lua/lib/liblua-5.1.3.so
    b7702000-b7867000 r-xp 00000000 08:03 106633507 /opt/xml2/lib/libxml2.so.2.7.6
    b7867000-b786c000 rwxp 00165000 08:03 106633507 /opt/xml2/lib/libxml2.so.2.7.6
    b786c000-b786d000 rwxp b786c000 00:00 0
    b786d000-b7878000 r-xp 00000000 08:03 101580810 /lib/libgcc_s-4.1.2-20080825.so.1
    b7878000-b7879000 rwxp 0000a000 08:03 101580810 /lib/libgcc_s-4.1.2-20080825.so.1
    b7879000-b7957000 r-xp 00000000 08:03 101716932 /usr/lib/libstdc++.so.6.0.8
    b7957000-b795a000 r-xp 000dd000 08:03 101716932 /usr/lib/libstdc++.so.6.0.8
    b795a000-b795c000 rwxp 000e0000 08:03 101716932 /usr/lib/libstdc++.so.6.0.8
    b795c000-b7962000 rwxp b795c000 00:00 0
    b7968000-b796c000 r-xp 00000000 08:03 106402744 (deleted) /usr/local/apache/modules/mod_suphp.so
    b796c000-b796d000 rwxp 00004000 08:03 106402744 (deleted) /usr/local/apache/modules/mod_suphp.so
    b796d000-b796f000 rwxp b796d000 00:00 0
    b796f000-b79aa000 r-xp 00000000 08:03 101581090 /lib/libsepol.so.1
    b79aa000-b79ab000 rwxp 0003b000 08:03 101581090 /lib/libsepol.so.1
    b79ab000-b79b6000 rwxp b79ab000 00:00 0
    b79b6000-b79cc000 r-xp 00000000 08:03 101581689 /lib/libselinux.so.1
    b79cc000-b79ce000 rwxp 00015000 08:03 101581689 /lib/libselinux.so.1
    b79ce000-b79d0000 r-xp 00000000 08:03 101581209 /lib/libkeyutils-1.2.so
    b79d0000-b79d1000 rwxp 00001000 08:03 101581209 /lib/libkeyutils-1.2.so
    b79d1000-b79d9000 r-xp 00000000 08:03 101716914 /usr/lib/libkrb5support.so.0.1
    b79d9000-b79da000 rwxp 00007000 08:03 101716914 /usr/lib/libkrb5support.so.0.1
    b79da000-b79ea000 r-xp 00000000 08:03 101580999 /lib/libresolv-2.5.so
    b79ea000-b79eb000 r-xp 0000f000 08:03 101580999 /lib/libresolv-2.5.so
    b79eb000-b79ec000 rwxp 00010000 08:03 101580999 /lib/libresolv-2.5.so
    b79ec000-b79ef000 rwxp b79ec000 00:00 0
    b79ef000-b7a14000 r-xp 00000000 08:03 101716835 /usr/lib/libk5crypto.so.3.1
    b7a14000-b7a15000 rwxp 00025000 08:03 101716835 /usr/lib/libk5crypto.so.3.1
    b7a15000-b7a17000 r-xp 00000000 08:03 101581215 /lib/libcom_err.so.2.1
    b7a17000-b7a18000 rwxp 00001000 08:03 101581215 /lib/libcom_err.so.2.1
    b7a18000-b7aab000 r-xp 00000000 08:03 101715452 /usr/lib/libkrb5.so.3.3
    b7aab000-b7aae000 rwxp 00092000 08:03 101715452 /usr/lib/libkrb5.so.3.3
    b7aae000-b7ada000 r-xp 00000000 08:03 101712156 /usr/lib/libgssapi_krb5.so.2.2
    b7ada000-b7adb000 rwxp 0002c000 08:03 101712156 /usr/lib/libgssapi_krb5.so.2.2
    b7adb000-b7c2d000 r-xp 00000000 08:03 101580827 /lib/libc-2.5.so
    b7c2d000-b7c2f000 r-xp 00152000 08:03 101580827 /lib/libc-2.5.so
    b7c2f000-b7c30000 rwxp 00154000 08:03 101580827 /lib/libc-2.5.so
    b7c30000-b7c33000 rwxp b7c30000 00:00 0
    b7c33000-b7c36000 r-xp 00000000 08:03 101580936 /lib/libdl-2.5.so
    b7c36000-b7c37000 r-xp 00002000 08:03 101580936 /lib/libdl-2.5.so
    b7c37000-b7c38000 rwxp 00003000 08:03 101580936 /lib/libdl-2.5.so
    b7c38000-b7c39000 rwxp b7c38000 00:00 0
    b7c39000-b7c4e000 r-xp 00000000 08:03 101580996 /lib/libpthread-2.5.so
    b7c4e000-b7c4f000 r-xp 00015000 08:03 101580996 /lib/libpthread-2.5.so
    b7c4f000-b7c50000 rwxp 00016000 08:03 101580996 /lib/libpthread-2.5.so
    b7c50000-b7c52000 rwxp b7c50000 00:00 0
    b7c52000-b7c5b000 r-xp 00000000 08:03 101580917 /lib/libcrypt-2.5.so
    b7c5b000-b7c5c000 r-xp 00008000 08:03 101580917 /lib/libcrypt-2.5.so
    b7c5c000-b7c5d000 rwxp 00009000 08:03 101580917 /lib/libcrypt-2.5.so
    b7c5d000-b7c84000 rwxp b7c5d000 00:00 0
    b7c84000-b7c8b000 r-xp 00000000 08:03 101581015 /lib/librt-2.5.so
    b7c8b000-b7c8c000 r-xp 00007000 08:03 101581015 /lib/librt-2.5.so
    b7c8c000-b7c8d000 rwxp 00008000 08:03 101581015 /lib/librt-2.5.so
    b7c8d000-b7c90000 r-xp 00000000 08:03 101581668 /lib/libuuid.so.1.2
    b7c90000-b7c91000 rwxp 00003000 08:03 101581668 /lib/libuuid.so.1.2
    b7c91000-b7cbc000 r-xp 00000000 08:03 106401856 (deleted) /usr/local/apache/lib/libapr-1.so.0.4.2
    b7cbc000-b7cbd000 rwxp 0002b000 08:03 106401856 (deleted) /usr/local/apache/lib/libapr-1.so.0.4.2
    b7cbd000-b7cdc000 r-xp 00000000 08:03 101581707 /lib/libexpat.so.0.5.0
    b7cdc000-b7cde000 rwxp 0001e000 08:03 101581707 /lib/libexpat.so.0.5.0
    b7cde000-b7cdf000 rwxp b7cde000 00:00 0
    b7cdf000-b7d00000 r-xp 00000000 08:03 106401904 (deleted) /usr/local/apache/lib/libaprutil-1.so.0.3.9
    b7d00000-b7d01000 rwxp 00020000 08:03 106401904 (deleted) /usr/local/apache/lib/libaprutil-1.so.0.3.9
    b7d01000-b7d28000 r-xp 00000000 08:03 101580945 /lib/libm-2.5.so
    b7d28000-b7d29000 r-xp 00026000 08:03 101580945 /lib/libm-2.5.so
    b7d29000-b7d2a000 rwxp 00027000 08:03 101580945 /lib/libm-2.5.so
    b7d2a000-b7d64000 r-xp 00000000 08:03 104467135 /opt/pcre/lib/libpcre.so.0.0.1
    b7d64000-b7d65000 rwxp 00039000 08:03 104467135 /opt/pcre/lib/libpcre.so.0.0.1
    b7d65000-b7d77000 r-xp 00000000 08:03 101712139 /usr/lib/libz.so.1.2.3
    b7d77000-b7d78000 rwxp 00011000 08:03 101712139 /usr/lib/libz.so.1.2.3
    b7d78000-b7ea2000 r-xp 00000000 08:03 101581070 /lib/libcrypto.so.0.9.8e
    b7ea2000-b7eb5000 rwxp 00129000 08:03 101581070 /lib/libcrypto.so.0.9.8e
    b7eb5000-b7eb9000 rwxp b7eb5000 00:00 0
    b7eb9000-b7efd000 r-xp 00000000 08:03 101581088 /lib/libssl.so.0.9.8e
    b7efd000-b7f01000 rwxp 00043000 08:03 101581088 /lib/libssl.so.0.9.8e
    b7f01000-b7f02000 rwxp b7f01000 00:00 0
    b7f06000-b7f07000 r-xp 00000000 08:03 106402692 (deleted) /usr/local/apache/modules/mod_bwlimited.so
    b7f07000-b7f08000 rwxp 00000000 08:03 106402692 (deleted) /usr/local/apache/modules/mod_bwlimited.so
    b7f08000-b7f23000 r-xp 00000000 08:03 101580814 /lib/ld-2.5.so
    b7f23000-b7f24000 r-xp 0001a000 08:03 101580814 /lib/ld-2.5.so
    b7f24000-b7f25000 rwxp 0001b000 08:03 101580814 /lib/ld-2.5.so
    bf9be000-bf9d3000 rw-p 7ffffffea000 00:00 0 [stack]
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Did you recently or were you actively recompiling Apache/httpd? If you are not actively recompiling Apache/httpd, try restarting it:
    Code:
    # /scripts/restartsrv_httpd
    By default, Apache/httpd runs as the system user "nobody" -- this is normal.

    Is "ConfigServer Security & Firewall" (CSF) installed on the system? Given the reported information I believe it is likely that your CSF configuration is what is triggering you to receive the described e-mails. For in-depth assistance with CSF, I recommend referring to the vendor's official web site and their available support channels:
    http://www.configserver.com/
    http://www.configserver.com/cp/csf.html
    http://forum.configserver.com/
    http://www.configserver.com/contact.html
    http://www.configserver.com/support.html
     
  3. smithster

    smithster Member

    Joined:
    Aug 7, 2010
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for making feel a bit more at ease! My VPS was suspended recently due to an attack so I've been going through easy apache as advised by csf. So yes I was rebuilding it quite often. If that's the only cause I can rest in peace! Actually the emails do seem to have stopped so I'll see how it goes!

    Thanks again

    Regards

    Smithster
     
Loading...

Share This Page