The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user nobody

Discussion in 'General Discussion' started by a.sheipani, Aug 16, 2007.

  1. a.sheipani

    a.sheipani Member

    Jan 29, 2007
    Likes Received:
    Trophy Points:
    Hello everyone, this is a great forum, and i have a question for you
    i have LFD installed on one of our servers, and yesterday i received three e-mails from it stateing that a suspicious process running under user nobody, notice that we have phpsuexec enabled.

    this is the complete message.

    Time: Wed Aug 15 16:21:37 2007
    PID: 8423
    Account: nobody
    Uptime: 314 seconds



    Command Line (often faked in exploits):

    /usr/local/cpanel/bin/eximwrap GETDISKUSED info

    Network connections by the process (if any):

    tcp: ->
    tcp: ->

    Files open by the process (if any):


    Memory maps by the process (if any):

    002e5000-002ee000 r-xp 00000000 08:03 901190 /lib/
    002ee000-002ef000 r--p 00008000 08:03 901190 /lib/
    002ef000-002f0000 rw-p 00009000 08:03 901190 /lib/
    00460000-00476000 r-xp 00000000 08:03 906150 /lib/
    00476000-00477000 r--p 00015000 08:03 906150 /lib/
    00477000-00478000 rw-p 00016000 08:03 906150 /lib/
    0047a000-005a0000 r-xp 00000000 08:03 906160 /lib/tls/
    005a0000-005a2000 r--p 00125000 08:03 906160 /lib/tls/
    005a2000-005a4000 rw-p 00127000 08:03 906160 /lib/tls/
    005a4000-005a6000 rw-p 005a4000 00:00 0
    08048000-08052000 r-xp 00000000 08:03 5358009 /usr/local/cpanel/bin/cpwrap
    08052000-08053000 rw-p 00009000 08:03 5358009 /usr/local/cpanel/bin/cpwrap
    08053000-08074000 rw-p 08053000 00:00 0 b7ff5000-b7ff6000 rw-p b7ff5000 00:00 0 bfff7000-c0000000 rwxp bfff7000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0

    can you please tell me if this is something i should worry about
    also i have been receiving e-mail about high server load at the same time as this message.
    and can you tell me what is cpwrap and what does it do??
  2. bebop1065

    bebop1065 Active Member

    Apr 14, 2004
    Likes Received:
    Trophy Points:
    It might be something to worry about.

    I had the same thing on one of my servers earlier in the week. It turned out to be some scripts in /tmp that were attempting to send log details to a server running a chatroom on port 6667.

    I had the scripts removed and all seems good now.

    Have you run any root kit checkers to see if they catch anything?
  3. dataferret

    dataferret Member

    Jul 20, 2007
    Likes Received:
    Trophy Points:
    Do you have any more details on what scripts were running in tmp? Name, file size etc? I seem to have this exact same problem and the only file which looks out of place in tmp is one which is named t00000 and has a file size of 47,000mb. I have renamed the file so it can be investigated further. I would very much like further details on the filenames you found in your tmp directory.

    Thanks for any help
  4. vanessa

    vanessa Well-Known Member

    Sep 26, 2006
    Likes Received:
    Trophy Points:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Other services can run processes as the user nobody, such as Apache and perl. To find nobody running processes, just run:

    ps -efww |grep nobody |more

    Then track the process ID with lsof -p <PID> to find out where it's coming from it it isn't obvious in the process listing.

Share This Page