The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user rpc

Discussion in 'Security' started by viniciusbarreto, May 24, 2017.

  1. viniciusbarreto

    viniciusbarreto Registered

    Joined:
    May 24, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello everyone, this is my first post.
    I have my first one VM server on Hyper-v 2016 running cPanel.
    Since then, it has been working very well for about 6 months and since its implementation no modifications have been made to its configurations or even to the CSF (if cPanel support says that we should look for CSF support or configure CSF to ignore the alert).

    About 3 days ago CSF started to send emails informing about possible security failure in cPanel regarding rpcbind. Emails are getting more and more constant and I'm worried it's serious security flaw.
    If it will help in case analysis, I copy one of the emails after the end of this post.

    I think the best solution is not to make CSF ignore the warning, because about 6 months ago I never received such a message and no configuration on the server was changed by me, that I am the only server administrator.

    Can someone help me please?

    Thank you in advance!

    Email:
    Code:
    Suspicious process running under user rpc
    
    Time:    Wed May 24 16:00:37 2017 -0300
    
    PID:     206262 (Parent PID:206262)
    
    Account: rpc
    
    Uptime:  139687 seconds
    
    
    
    Executable:
    
    
    /usr/sbin/rpcbind
    
    
    
    Command Line (often faked in exploits):
    
    
    /sbin/rpcbind -w
    
    
    
    Network connections by the process (if any):
    
    
    tcp6: 0.0.0.0:111 -> 0.0.0.0:0
    
    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    
    udp: 0.0.0.0:797 -> 0.0.0.0:0
    
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    
    udp6: 0.0.0.0:797 -> 0.0.0.0:0
    
    
    
    Files open by the process (if any):
    
    
    /dev/null
    
    /dev/null
    
    /dev/null
    
    /run/rpcbind.lock
    
    
    
    Memory maps by the process (if any):
    
    
    7fbdec20a000-7fbdec216000 r-xp 00000000 08:01 8393089                    /usr/lib64/libnss_files-2.17.so
    
    7fbdec216000-7fbdec415000 ---p 0000c000 08:01 8393089                    /usr/lib64/libnss_files-2.17.so
    
    7fbdec415000-7fbdec416000 r--p 0000b000 08:01 8393089                    /usr/lib64/libnss_files-2.17.so
    
    7fbdec416000-7fbdec417000 rw-p 0000c000 08:01 8393089                    /usr/lib64/libnss_files-2.17.so
    
    7fbdec417000-7fbdec41d000 rw-p 00000000 00:00 0
    
    7fbdec41d000-7fbdec42c000 r-xp 00000000 08:01 8412364                    /usr/lib64/libbz2.so.1.0.6
    
    7fbdec42c000-7fbdec62b000 ---p 0000f000 08:01 8412364                    /usr/lib64/libbz2.so.1.0.6
    
    7fbdec62b000-7fbdec62c000 r--p 0000e000 08:01 8412364                    /usr/lib64/libbz2.so.1.0.6
    
    7fbdec62c000-7fbdec62d000 rw-p 0000f000 08:01 8412364                    /usr/lib64/libbz2.so.1.0.6
    
    7fbdec62d000-7fbdec642000 r-xp 00000000 08:01 8412327                    /usr/lib64/libz.so.1.2.7
    
    7fbdec642000-7fbdec841000 ---p 00015000 08:01 8412327                    /usr/lib64/libz.so.1.2.7
    
    7fbdec841000-7fbdec842000 r--p 00014000 08:01 8412327                    /usr/lib64/libz.so.1.2.7
    
    7fbdec842000-7fbdec843000 rw-p 00015000 08:01 8412327                    /usr/lib64/libz.so.1.2.7
    
    7fbdec843000-7fbdec85a000 r-xp 00000000 08:01 8412428                    /usr/lib64/libelf-0.166.so
    
    7fbdec85a000-7fbdeca59000 ---p 00017000 08:01 8412428                    /usr/lib64/libelf-0.166.so
    
    7fbdeca59000-7fbdeca5a000 r--p 00016000 08:01 8412428                    /usr/lib64/libelf-0.166.so
    
    7fbdeca5a000-7fbdeca5b000 rw-p 00017000 08:01 8412428                    /usr/lib64/libelf-0.166.so
    
    7fbdeca5b000-7fbdecabb000 r-xp 00000000 08:01 8412315                    /usr/lib64/libpcre.so.1.2.0
    
    7fbdecabb000-7fbdeccba000 ---p 00060000 08:01 8412315                    /usr/lib64/libpcre.so.1.2.0
    
    7fbdeccba000-7fbdeccbb000 r--p 0005f000 08:01 8412315                    /usr/lib64/libpcre.so.1.2.0
    
    7fbdeccbb000-7fbdeccbc000 rw-p 00060000 08:01 8412315                    /usr/lib64/libpcre.so.1.2.0
    
    7fbdeccbc000-7fbdeccc0000 r-xp 00000000 08:01 8412445                    /usr/lib64/libattr.so.1.1.0
    
    7fbdeccc0000-7fbdecebf000 ---p 00004000 08:01 8412445                    /usr/lib64/libattr.so.1.1.0
    
    7fbdecebf000-7fbdecec0000 r--p 00003000 08:01 8412445                    /usr/lib64/libattr.so.1.1.0
    
    7fbdecec0000-7fbdecec1000 rw-p 00004000 08:01 8412445                    /usr/lib64/libattr.so.1.1.0
    
    7fbdecec1000-7fbdecec4000 r-xp 00000000 08:01 8412739                    /usr/lib64/libkeyutils.so.1.5
    
    7fbdecec4000-7fbded0c3000 ---p 00003000 08:01 8412739                    /usr/lib64/libkeyutils.so.1.5
    
    7fbded0c3000-7fbded0c4000 r--p 00002000 08:01 8412739                    /usr/lib64/libkeyutils.so.1.5
    
    7fbded0c4000-7fbded0c5000 rw-p 00003000 08:01 8412739                    /usr/lib64/libkeyutils.so.1.5
    
    7fbded0c5000-7fbded0d2000 r-xp 00000000 08:01 8412272                    /usr/lib64/libkrb5support.so.0.1
    
    7fbded0d2000-7fbded2d2000 ---p 0000d000 08:01 8412272                    /usr/lib64/libkrb5support.so.0.1
    
    7fbded2d2000-7fbded2d3000 r--p 0000d000 08:01 8412272                    /usr/lib64/libkrb5support.so.0.1
    
    7fbded2d3000-7fbded2d4000 rw-p 0000e000 08:01 8412272                    /usr/lib64/libkrb5support.so.0.1
    
    7fbded2d4000-7fbded2e9000 r-xp 00000000 08:01 8388707                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    
    7fbded2e9000-7fbded4e8000 ---p 00015000 08:01 8388707                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    
    7fbded4e8000-7fbded4e9000 r--p 00014000 08:01 8388707                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    
    7fbded4e9000-7fbded4ea000 rw-p 00015000 08:01 8388707                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
    
    7fbded4ea000-7fbded4ec000 r-xp 00000000 08:01 8390038                    /usr/lib64/libdl-2.17.so
    
    7fbded4ec000-7fbded6ec000 ---p 00002000 08:01 8390038                    /usr/lib64/libdl-2.17.so
    
    7fbded6ec000-7fbded6ed000 r--p 00002000 08:01 8390038                    /usr/lib64/libdl-2.17.so
    
    7fbded6ed000-7fbded6ee000 rw-p 00003000 08:01 8390038                    /usr/lib64/libdl-2.17.so
    
    7fbded6ee000-7fbded733000 r-xp 00000000 08:01 8412490                    /usr/lib64/libdw-0.166.so
    
    7fbded733000-7fbded933000 ---p 00045000 08:01 8412490                    /usr/lib64/libdw-0.166.so
    
    7fbded933000-7fbded935000 r--p 00045000 08:01 8412490                    /usr/lib64/libdw-0.166.so
    
    7fbded935000-7fbded936000 rw-p 00047000 08:01 8412490                    /usr/lib64/libdw-0.166.so
    
    7fbded936000-7fbded94c000 r-xp 00000000 08:01 8393099                    /usr/lib64/libresolv-2.17.so
    
    7fbded94c000-7fbdedb4c000 ---p 00016000 08:01 8393099                    /usr/lib64/libresolv-2.17.so
    
    7fbdedb4c000-7fbdedb4d000 r--p 00016000 08:01 8393099                    /usr/lib64/libresolv-2.17.so
    
    7fbdedb4d000-7fbdedb4e000 rw-p 00017000 08:01 8393099                    /usr/lib64/libresolv-2.17.so
    
    7fbdedb4e000-7fbdedb50000 rw-p 00000000 00:00 0
    
    7fbdedb50000-7fbdedb54000 r-xp 00000000 08:01 8412441                    /usr/lib64/libgpg-error.so.0.10.0
    
    7fbdedb54000-7fbdedd53000 ---p 00004000 08:01 8412441                    /usr/lib64/libgpg-error.so.0.10.0
    
    7fbdedd53000-7fbdedd54000 r--p 00003000 08:01 8412441                    /usr/lib64/libgpg-error.so.0.10.0
    
    7fbdedd54000-7fbdedd55000 rw-p 00004000 08:01 8412441                    /usr/lib64/libgpg-error.so.0.10.0
    
    7fbdedd55000-7fbdeddd1000 r-xp 00000000 08:01 8412303                    /usr/lib64/libgcrypt.so.11.8.2
    
    7fbdeddd1000-7fbdedfd1000 ---p 0007c000 08:01 8412303                    /usr/lib64/libgcrypt.so.11.8.2
    
    7fbdedfd1000-7fbdedfd2000 r--p 0007c000 08:01 8412303                    /usr/lib64/libgcrypt.so.11.8.2
    
    7fbdedfd2000-7fbdedfd5000 rw-p 0007d000 08:01 8412303                    /usr/lib64/libgcrypt.so.11.8.2
    
    7fbdedfd5000-7fbdedfd6000 rw-p 00000000 00:00 0
    
    7fbdedfd6000-7fbdedffb000 r-xp 00000000 08:01 8412337                    /usr/lib64/liblzma.so.5.2.2
    
    7fbdedffb000-7fbdee1fa000 ---p 00025000 08:01 8412337                    /usr/lib64/liblzma.so.5.2.2
    
    7fbdee1fa000-7fbdee1fb000 r--p 00024000 08:01 8412337                    /usr/lib64/liblzma.so.5.2.2
    
    7fbdee1fb000-7fbdee1fc000 rw-p 00025000 08:01 8412337                    /usr/lib64/liblzma.so.5.2.2
    
    7fbdee1fc000-7fbdee220000 r-xp 00000000 08:01 8412324                    /usr/lib64/libselinux.so.1
    
    7fbdee220000-7fbdee41f000 ---p 00024000 08:01 8412324                    /usr/lib64/libselinux.so.1
    
    7fbdee41f000-7fbdee420000 r--p 00023000 08:01 8412324                    /usr/lib64/libselinux.so.1
    
    7fbdee420000-7fbdee421000 rw-p 00024000 08:01 8412324                    /usr/lib64/libselinux.so.1
    
    7fbdee421000-7fbdee423000 rw-p 00000000 00:00 0
    
    7fbdee423000-7fbdee42a000 r-xp 00000000 08:01 8393101                    /usr/lib64/librt-2.17.so
    
    7fbdee42a000-7fbdee629000 ---p 00007000 08:01 8393101                    /usr/lib64/librt-2.17.so
    
    7fbdee629000-7fbdee62a000 r--p 00006000 08:01 8393101                   /usr/lib64/librt-2.17.so
    
    7fbdee62a000-7fbdee62b000 rw-p 00007000 08:01 8393101                    /usr/lib64/librt-2.17.so
    
    7fbdee62b000-7fbdee72b000 r-xp 00000000 08:01 8390040                    /usr/lib64/libm-2.17.so
    
    7fbdee72b000-7fbdee92b000 ---p 00100000 08:01 8390040                    /usr/lib64/libm-2.17.so
    
    7fbdee92b000-7fbdee92c000 r--p 00100000 08:01 8390040                    /usr/lib64/libm-2.17.so
    
    7fbdee92c000-7fbdee92d000 rw-p 00101000 08:01 8390040                    /usr/lib64/libm-2.17.so
    
    7fbdee92d000-7fbdee931000 r-xp 00000000 08:01 8412449                    /usr/lib64/libcap.so.2.22
    
    7fbdee931000-7fbdeeb30000 ---p 00004000 08:01 8412449                    /usr/lib64/libcap.so.2.22
    
    7fbdeeb30000-7fbdeeb31000 r--p 00003000 08:01 8412449                    /usr/lib64/libcap.so.2.22
    
    7fbdeeb31000-7fbdeeb32000 rw-p 00004000 08:01 8412449                    /usr/lib64/libcap.so.2.22
    
    7fbdeeb32000-7fbdeeb48000 r-xp 00000000 08:01 8390044                    /usr/lib64/libnsl-2.17.so
    
    7fbdeeb48000-7fbdeed47000 ---p 00016000 08:01 8390044                    /usr/lib64/libnsl-2.17.so
    
    7fbdeed47000-7fbdeed48000 r--p 00015000 08:01 8390044                    /usr/lib64/libnsl-2.17.so
    
    7fbdeed48000-7fbdeed49000 rw-p 00016000 08:01 8390044                   /usr/lib64/libnsl-2.17.so
    
    7fbdeed49000-7fbdeed4b000 rw-p 00000000 00:00 0
    
    7fbdeed4b000-7fbdeed4e000 r-xp 00000000 08:01 8412356                    /usr/lib64/libcom_err.so.2.1
    
    7fbdeed4e000-7fbdeef4d000 ---p 00003000 08:01 8412356                   /usr/lib64/libcom_err.so.2.1
    
    7fbdeef4d000-7fbdeef4e000 r--p 00002000 08:01 8412356                    /usr/lib64/libcom_err.so.2.1
    
    7fbdeef4e000-7fbdeef4f000 rw-p 00003000 08:01 8412356                    /usr/lib64/libcom_err.so.2.1
    
    7fbdeef4f000-7fbdeef7e000 r-xp 00000000 08:01 8412264                    /usr/lib64/libk5crypto.so.3.1
    
    7fbdeef7e000-7fbdef17d000 ---p 0002f000 08:01 8412264                    /usr/lib64/libk5crypto.so.3.1
    
    7fbdef17d000-7fbdef17f000 r--p 0002e000 08:01 8412264                   /usr/lib64/libk5crypto.so.3.1
    
    7fbdef17f000-7fbdef180000 rw-p 00030000 08:01 8412264                    /usr/lib64/libk5crypto.so.3.1
    
    7fbdef180000-7fbdef181000 rw-p 00000000 00:00 0
    
    7fbdef181000-7fbdef257000 r-xp 00000000 08:01 8412270                    /usr/lib64/libkrb5.so.3.3
    
    7fbdef257000-7fbdef457000 ---p 000d6000 08:01 8412270                    /usr/lib64/libkrb5.so.3.3
    
    7fbdef457000-7fbdef465000 r--p 000d6000 08:01 8412270                    /usr/lib64/libkrb5.so.3.3
    
    7fbdef465000-7fbdef468000 rw-p 000e4000 08:01 8412270                    /usr/lib64/libkrb5.so.3.3
    
    7fbdef468000-7fbdef4b3000 r-xp 00000000 08:01 8412260                    /usr/lib64/libgssapi_krb5.so.2.2
    
    7fbdef4b3000-7fbdef6b3000 ---p 0004b000 08:01 8412260                    /usr/lib64/libgssapi_krb5.so.2.2
    
    7fbdef6b3000-7fbdef6b4000 r--p 0004b000 08:01 8412260                    /usr/lib64/libgssapi_krb5.so.2.2
    
    7fbdef6b4000-7fbdef6b6000 rw-p 0004c000 08:01 8412260                    /usr/lib64/libgssapi_krb5.so.2.2
    
    7fbdef6b6000-7fbdef86c000 r-xp 00000000 08:01 8390036                    /usr/lib64/libc-2.17.so
    
    7fbdef86c000-7fbdefa6c000 ---p 001b6000 08:01 8390036                    /usr/lib64/libc-2.17.so
    
    7fbdefa6c000-7fbdefa70000 r--p 001b6000 08:01 8390036                    /usr/lib64/libc-2.17.so
    
    7fbdefa70000-7fbdefa72000 rw-p 001ba000 08:01 8390036                    /usr/lib64/libc-2.17.so
    
    7fbdefa72000-7fbdefa77000 rw-p 00000000 00:00 0
    
    7fbdefa77000-7fbdefa80000 r-xp 00000000 08:01 8412730                    /usr/lib64/libwrap.so.0.7.6
    
    7fbdefa80000-7fbdefc7f000 ---p 00009000 08:01 8412730                    /usr/lib64/libwrap.so.0.7.6
    
    7fbdefc7f000-7fbdefc80000 r--p 00008000 08:01 8412730                    /usr/lib64/libwrap.so.0.7.6
    
    7fbdefc80000-7fbdefc81000 rw-p 00009000 08:01 8412730                    /usr/lib64/libwrap.so.0.7.6
    
    7fbdefc81000-7fbdefc82000 rw-p 00000000 00:00 0
    
    7fbdefc82000-7fbdefc99000 r-xp 00000000 08:01 8393097                    /usr/lib64/libpthread-2.17.so
    
    7fbdefc99000-7fbdefe98000 ---p 00017000 08:01 8393097                    /usr/lib64/libpthread-2.17.so
    
    7fbdefe98000-7fbdefe99000 r--p 00016000 08:01 8393097                    /usr/lib64/libpthread-2.17.so
    
    7fbdefe99000-7fbdefe9a000 rw-p 00017000 08:01 8393097                    /usr/lib64/libpthread-2.17.so
    
    7fbdefe9a000-7fbdefe9e000 rw-p 00000000 00:00 0
    
    7fbdefe9e000-7fbdefec7000 r-xp 00000000 08:01 9102854                    /usr/lib64/libtirpc.so.1.0.10
    
    7fbdefec7000-7fbdf00c6000 ---p 00029000 08:01 9102854                    /usr/lib64/libtirpc.so.1.0.10
    
    7fbdf00c6000-7fbdf00c7000 r--p 00028000 08:01 9102854                    /usr/lib64/libtirpc.so.1.0.10
    
    7fbdf00c7000-7fbdf00c8000 rw-p 00029000 08:01 9102854                    /usr/lib64/libtirpc.so.1.0.10
    
    7fbdf00c8000-7fbdf00c9000 rw-p 00000000 00:00 0
    
    7fbdf00c9000-7fbdf00e9000 r-xp 00000000 08:01 8796826                    /usr/lib64/ld-2.17.so
    
    7fbdf02a7000-7fbdf02b5000 rw-p 00000000 00:00 0
    
    7fbdf02b5000-7fbdf02db000 r-xp 00000000 08:01 8412436                   /usr/lib64/libsystemd.so.0.6.0
    
    7fbdf02db000-7fbdf02dc000 r--p 00025000 08:01 8412436                    /usr/lib64/libsystemd.so.0.6.0
    
    7fbdf02dc000-7fbdf02dd000 rw-p 00026000 08:01 8412436                    /usr/lib64/libsystemd.so.0.6.0
    
    7fbdf02e7000-7fbdf02e8000 rw-p 00000000 00:00 0
    
    7fbdf02e8000-7fbdf02e9000 r--p 0001f000 08:01 8796826                    /usr/lib64/ld-2.17.so
    
    7fbdf02e9000-7fbdf02ea000 rw-p 00020000 08:01 8796826                    /usr/lib64/ld-2.17.so
    
    7fbdf02ea000-7fbdf02eb000 rw-p 00000000 00:00 0
    
    7fbdf02eb000-7fbdf02f8000 r-xp 00000000 08:01 9102855                    /usr/sbin/rpcbind
    
    7fbdf04f8000-7fbdf04f9000 r--p 0000d000 08:01 9102855                    /usr/sbin/rpcbind
    
    7fbdf04f9000-7fbdf04fa000 rw-p 0000e000 08:01 9102855                    /usr/sbin/rpcbind
    
    7fbdf21d9000-7fbdf21fa000 rw-p 00000000 00:00 0                          [heap]
    
    7fff53e65000-7fff53e86000 rw-p 00000000 00:00 0                          [stack]
    
    7fff53efe000-7fff53f00000 r-xp 00000000 00:00 0                         [vdso]
    
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
     
    #1 viniciusbarreto, May 24, 2017
    Last edited by a moderator: May 24, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  3. viniciusbarreto

    viniciusbarreto Registered

    Joined:
    May 24, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael , thank you for your contribution, but the link you indicated did not answer the question, and in fact, there is a last question asked by the user @net@work that was not answered.
    I saw in another link that rpcbind is only needed for NFS assembly, but I noticed that it was always present in my system and only after an update on May 23 (2 days ago) did the alerts begin.

    tail /var/log/yum.log | grep rpcbind
    May 23 01:11:32 Updated: rpcbind-0.2.0-38.el7_3.x86_64

    Please, do I run security risk on my system? What should I do?

    Can I point CSF to bypass rpcbind without worrying about security failure on my cPanel server?
     
  4. voidzero

    voidzero Member

    Joined:
    May 12, 2017
    Messages:
    8
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    NL
    cPanel Access Level:
    Root Administrator
    This has been occurring for me lately as well. I don't use NFS. Is it safe to disable rpcbind and if so what's the right way to go about doing so? Thanks.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can disable the service with the following commands on CentOS 7 (assuming you don't have NFS mounts):

    Code:
    systemctl disable rpcbind.service
    service rpcbind stop
    I don't recommend removing the RPM itself, as it has several dependencies with packages such as quota and dovecot.

    Thank you.
     
    viniciusbarreto likes this.
Loading...

Share This Page