Suspicious process running under user

P

petru

Active Member
Jul 12, 2013
38
3
8
cPanel Access Level
Root Administrator
Hey guys,

I'll make this quick.
Last night I received an email that someone had logged in to Root from Another country.

I immediately tried to log in but they had already changed the password.
So I managed to still login via SSH and change the root password.

A few hours later they got back in. I suspected that maybe I had a Rat of some sort on my main PC
So I used another computer in the house to login again and change the passwords.

The root email was changed so I had changed it back.
But now im getting emails like this

Code: 
Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/user/public_html/wp-cron.php


Network connections by the process (if any):

tcp: xxx.xxx.xxx.xxx:59257 -> 66.155.40.250:80


Files open by the process (if any):

Memory maps by the process (if any):

00400000-00b02000 r-xp 00000000 08:03 1970214                            /usr/bin/php
00d01000-00d81000 rw-p 00701000 08:03 1970214                            /usr/bin/php
00d81000-00da3000 rw-p 00000000 00:00 0 
01cda000-043f4000 rw-p 00000000 00:00 0                                  [heap]
7fc2b1070000-7fc2b1075000 r-xp 00000000 08:03 1310812                    /lib64/libnss_dns-2.12.so
7fc2b1075000-7fc2b1274000 ---p 00005000 08:03 1310812                    /lib64/libnss_dns-2.12.so
7fc2b1274000-7fc2b1275000 r--p 00004000 08:03 1310812                    /lib64/libnss_dns-2.12.so
7fc2b1275000-7fc2b1276000 rw-p 00005000 08:03 1310812                    /lib64/libnss_dns-2.12.so
7fc2b1276000-7fc2b16ff000 rw-p 00000000 00:00 0 
7fc2b16ff000-7fc2b170b000 r-xp 00000000 08:03 1310848                    /lib64/libnss_files-2.12.so
7fc2b170b000-7fc2b190b000 ---p 0000c000 08:03 1310848                    /lib64/libnss_files-2.12.so
7fc2b190b000-7fc2b190c000 r--p 0000c000 08:03 1310848                    /lib64/libnss_files-2.12.so
7fc2b190c000-7fc2b190d000 rw-p 0000d000 08:03 1310848                    /lib64/libnss_files-2.12.so
7fc2b190d000-7fc2b1914000 r-xp 00000000 08:03 2247619                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7fc2b1914000-7fc2b1b14000 ---p 00007000 08:03 2247619                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7fc2b1b14000-7fc2b1b15000 rw-p 00007000 08:03 2247619                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
7fc2b1b15000-7fc2b1b67000 r-xp 00000000 08:03 2247621                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7fc2b1b67000-7fc2b1d66000 ---p 00052000 08:03 2247621                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7fc2b1d66000-7fc2b1d6c000 rw-p 00051000 08:03 2247621                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
7fc2b1d6c000-7fc2b1e04000 r-xp 00000000 08:03 2247620                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7fc2b1e04000-7fc2b2003000 ---p 00098000 08:03 2247620                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7fc2b2003000-7fc2b2007000 rw-p 00097000 08:03 2247620                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
7fc2b2007000-7fc2b201d000 r-xp 00000000 08:03 2247618                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7fc2b201d000-7fc2b221d000 ---p 00016000 08:03 2247618                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7fc2b221d000-7fc2b2220000 rw-p 00016000 08:03 2247618                    /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
7fc2b2220000-7fc2b230f000 r-xp 00000000 08:03 2399062                    /usr/local/IonCube/ioncube_loader_lin_5.3.so
7fc2b230f000-7fc2b240e000 ---p 000ef000 08:03 2399062                    /usr/local/IonCube/ioncube_loader_lin_5.3.so
7fc2b240e000-7fc2b241d000 rw-p 000ee000 08:03 2399062                    /usr/local/IonCube/ioncube_loader_lin_5.3.so
7fc2b241d000-7fc2b2421000 rw-p 00000000 00:00 0 
7fc2b2421000-7fc2b243e000 r-xp 00000000 08:03 1310767                    /lib64/libselinux.so.1
7fc2b243e000-7fc2b263d000 ---p 0001d000 08:03 1310767                    /lib64/libselinux.so.1
7fc2b263d000-7fc2b263e000 r--p 0001c000 08:03 1310767                    /lib64/libselinux.so.1
7fc2b263e000-7fc2b263f000 rw-p 0001d000 08:03 1310767                    /lib64/libselinux.so.1
7fc2b263f000-7fc2b2640000 rw-p 00000000 00:00 0 
7fc2b2640000-7fc2b2642000 r-xp 00000000 08:03 1972136                    /usr/lib64/libXau.so.6.0.0
7fc2b2642000-7fc2b2842000 ---p 00002000 08:03 1972136                    /usr/lib64/libXau.so.6.0.0
7fc2b2842000-7fc2b2843000 rw-p 00002000 08:03 1972136                    /usr/lib64/libXau.so.6.0.0
7fc2b2843000-7fc2b2845000 r-xp 00000000 08:03 1311007                    /lib64/libkeyutils.so.1.3
7fc2b2845000-7fc2b2a44000 ---p 00002000 08:03 1311007                    /lib64/libkeyutils.so.1.3
7fc2b2a44000-7fc2b2a45000 r--p 00001000 08:03 1311007                    /lib64/libkeyutils.so.1.3
7fc2b2a45000-7fc2b2a46000 rw-p 00002000 08:03 1311007                    /lib64/libkeyutils.so.1.3
7fc2b2a46000-7fc2b2a50000 r-xp 00000000 08:03 1310778                    /lib64/libkrb5support.so.0.1
7fc2b2a50000-7fc2b2c4f000 ---p 0000a000 08:03 1310778                    /lib64/libkrb5support.so.0.1
7fc2b2c4f000-7fc2b2c50000 r--p 00009000 08:03 1310778                    /lib64/libkrb5support.so.0.1
7fc2b2c50000-7fc2b2c51000 rw-p 0000a000 08:03 1310778                    /lib64/libkrb5support.so.0.1
7fc2b2c51000-7fc2b2c6e000 r-xp 00000000 08:03 1972180                    /usr/lib64/libxcb.so.1.1.0
7fc2b2c6e000-7fc2b2e6e000 ---p 0001d000 08:03 1972180                    /usr/lib64/libxcb.so.1.1.0
7fc2b2e6e000-7fc2b2e6f000 rw-p 0001d000 08:03 1972180                    /usr/lib64/libxcb.so.1.1.0
7fc2b2e6f000-7fc2b2e86000 r-xp 00000000 08:03 1310779                    /lib64/libaudit.so.1.0.0
7fc2b2e86000-7fc2b3085000 ---p 00017000 08:03 1310779                    /lib64/libaudit.so.1.0.0
7fc2b3085000-7fc2b3086000 r--p 00016000 08:03 1310779                    /lib64/libaudit.so.1.0.0
7fc2b3086000-7fc2b308b000 rw-p 00017000 08:03 1310779                    /lib64/libaudit.so.1.0.0
7fc2b308b000-7fc2b30a0000 r-xp 00000000 08:03 1310743                    /lib64/libz.so.1.2.3
7fc2b30a0000-7fc2b329f000 ---p 00015000 08:03 1310743                    /lib64/libz.so.1.2.3
7fc2b329f000-7fc2b32a0000 r--p 00014000 08:03 1310743                    /lib64/libz.so.1.2.3
7fc2b32a0000-7fc2b32a1000 rw-p 00015000 08:03 1310743                    /lib64/libz.so.1.2.3
7fc2b32a1000-7fc2b3312000 r-xp 00000000 08:03 1310736                    /lib64/libfreebl3.so
7fc2b3312000-7fc2b3511000 ---p 00071000 08:03 1310736                    /lib64/libfreebl3.so
7fc2b3511000-7fc2b3513000 r--p 00070000 08:03 1310736                    /lib64/libfreebl3.so
7fc2b3513000-7fc2b3514000 rw-p 00072000 08:03 1310736                    /lib64/libfreebl3.so
7fc2b3514000-7fc2b3518000 rw-p 00000000 00:00 0 
7fc2b3518000-7fc2b352e000 r-xp 00000000 08:03 1310857                    /lib64/libresolv-2.12.so
7fc2b352e000-7fc2b372e000 ---p 00016000 08:03 1310857                    /lib64/libresolv-2.12.so
7fc2b372e000-7fc2b372f000 r--p 00016000 08:03 1310857                    /lib64/libresolv-2.12.so
7fc2b372f000-7fc2b3730000 rw-p 00017000 08:03 1310857                    /lib64/libresolv-2.12.so
7fc2b3730000-7fc2b3732000 rw-p 00000000 00:00 0 
7fc2b3732000-7fc2b38bd000 r-xp 00000000 08:03 1310728                    /lib64/libc-2.12.so
7fc2b38bd000-7fc2b3abc000 ---p 0018b000 08:03 1310728                    /lib64/libc-2.12.so
7fc2b3abc000-7fc2b3ac0000 r--p 0018a000 08:03 1310728                    /lib64/libc-2.12.so
7fc2b3ac0000-7fc2b3ac1000 rw-p 0018e000 08:03 1310728                    /lib64/libc-2.12.so
7fc2b3ac1000-7fc2b3ac6000 rw-p 00000000 00:00 0 
7fc2b3ac6000-7fc2b3c15000 r-xp 00000000 08:03 919013                     /opt/xml2/lib/libxml2.so.2.9.0
7fc2b3c15000-7fc2b3e14000 ---p 0014f000 08:03 919013                     /opt/xml2/lib/libxml2.so.2.9.0
7fc2b3e14000-7fc2b3e1e000 rw-p 0014e000 08:03 919013                     /opt/xml2/lib/libxml2.so.2.9.0
7fc2b3e1e000-7fc2b3e1f000 rw-p 00000000 00:00 0 
7fc2b3e1f000-7fc2b3e36000 r-xp 00000000 08:03 1310752                    /lib64/libpthread-2.12.so
7fc2b3e36000-7fc2b4036000 ---p 00017000 08:03 1310752                    /lib64/libpthread-2.12.so
7fc2b4036000-7fc2b4037000 r--p 00017000 08:03 1310752                    /lib64/libpthread-2.12.so
7fc2b4037000-7fc2b4038000 rw-p 00018000 08:03 1310752                    /lib64/libpthread-2.12.so
7fc2b4038000-7fc2b403c000 rw-p 00000000 00:00 0 
7fc2b403c000-7fc2b4209000 r-xp 00000000 08:03 1971604                    /usr/lib64/libmysqlclient.so.16.0.0
7fc2b4209000-7fc2b4408000 ---p 001cd000 08:03 1971604                    /usr/lib64/libmysqlclient.so.16.0.0
7fc2b4408000-7fc2b445a000 rw-p 001cc000 08:03 1971604                    /usr/lib64/libmysqlclient.so.16.0.0
7fc2b445a000-7fc2b445b000 rw-p 00000000 00:00 0 
7fc2b445b000-7fc2b448d000 r-xp 00000000 08:03 1310904                    /lib64/libidn.so.11.6.1
7fc2b448d000-7fc2b468c000 ---p 00032000 08:03 1310904                    /lib64/libidn.so.11.6.1
7fc2b468c000-7fc2b468d000 rw-p 00031000 08:03 1310904                    /lib64/libidn.so.11.6.1
7fc2b468d000-7fc2b46e5000 r-xp 00000000 08:03 918799                     /opt/curlssl/lib/libcurl.so.4.2.0
7fc2b46e5000-7fc2b48e5000 ---p 00058000 08:03 918799                     /opt/curlssl/lib/libcurl.so.4.2.0
7fc2b48e5000-7fc2b48e8000 rw-p 00058000 08:03 918799                     /opt/curlssl/lib/libcurl.so.4.2.0
7fc2b48e8000-7fc2b48eb000 r-xp 00000000 08:03 1310872                    /lib64/libcom_err.so.2.1
7fc2b48eb000-7fc2b4aea000 ---p 00003000 08:03 1310872                    /lib64/libcom_err.so.2.1
7fc2b4aea000-7fc2b4aeb000 r--p 00002000 08:03 1310872                    /lib64/libcom_err.so.2.1
7fc2b4aeb000-7fc2b4aec000 rw-p 00003000 08:03 1310872                    /lib64/libcom_err.so.2.1
7fc2b4aec000-7fc2b4b15000 r-xp 00000000 08:03 1310748                    /lib64/libk5crypto.so.3.1
7fc2b4b15000-7fc2b4d15000 ---p 00029000 08:03 1310748                    /lib64/libk5crypto.so.3.1
7fc2b4d15000-7fc2b4d16000 r--p 00029000 08:03 1310748                    /lib64/libk5crypto.so.3.1
7fc2b4d16000-7fc2b4d17000 rw-p 0002a000 08:03 1310748                    /lib64/libk5crypto.so.3.1
7fc2b4d17000-7fc2b4d18000 rw-p 00000000 00:00 0 
7fc2b4d18000-7fc2b4df3000 r-xp 00000000 08:03 1310758                    /lib64/libkrb5.so.3.3
7fc2b4df3000-7fc2b4ff2000 ---p 000db000 08:03 1310758                    /lib64/libkrb5.so.3.3
7fc2b4ff2000-7fc2b4ffc000 r--p 000da000 08:03 1310758                    /lib64/libkrb5.so.3.3
7fc2b4ffc000-7fc2b4ffe000 rw-p 000e4000 08:03 1310758                    /lib64/libkrb5.so.3.3
7fc2b4ffe000-7fc2b503f000 r-xp 00000000 08:03 1310737                    /lib64/libgssapi_krb5.so.2.2
7fc2b503f000-7fc2b523f000 ---p 00041000 08:03 1310737                    /lib64/libgssapi_krb5.so.2.2
7fc2b523f000-7fc2b5240000 r--p 00041000 08:03 1310737                    /lib64/libgssapi_krb5.so.2.2
7fc2b5240000-7fc2b5242000 rw-p 00042000 08:03 1310737                    /lib64/libgssapi_krb5.so.2.2
7fc2b5242000-7fc2b5258000 r-xp 00000000 08:03 1310766                    /lib64/libnsl-2.12.so
7fc2b5258000-7fc2b5457000 ---p 00016000 08:03 1310766                    /lib64/libnsl-2.12.so
7fc2b5457000-7fc2b5458000 r--p 00015000 08:03 1310766                    /lib64/libnsl-2.12.so
7fc2b5458000-7fc2b5459000 rw-p 00016000 08:03 1310766                    /lib64/libnsl-2.12.so
7fc2b5459000-7fc2b545b000 rw-p 00000000 00:00 0 
7fc2b545b000-7fc2b545d000 r-xp 00000000 08:03 1310759                    /lib64/libdl-2.12.so
7fc2b545d000-7fc2b565d000 ---p 00002000 08:03 1310759                    /lib64/libdl-2.12.so
7fc2b565d000-7fc2b565e000 r--p 00002000 08:03 1310759                    /lib64/libdl-2.12.so
7fc2b565e000-7fc2b565f000 rw-p 00003000 08:03 1310759                    /lib64/libdl-2.12.so
7fc2b565f000-7fc2b56e2000 r-xp 00000000 08:03 1310763                    /lib64/libm-2.12.so
7fc2b56e2000-7fc2b58e1000 ---p 00083000 08:03 1310763                    /lib64/libm-2.12.so
7fc2b58e1000-7fc2b58e2000 r--p 00082000 08:03 1310763                    /lib64/libm-2.12.so
7fc2b58e2000-7fc2b58e3000 rw-p 00083000 08:03 1310763                    /lib64/libm-2.12.so
7fc2b58e3000-7fc2b58ea000 r-xp 00000000 08:03 1310859                    /lib64/librt-2.12.so
7fc2b58ea000-7fc2b5ae9000 ---p 00007000 08:03 1310859                    /lib64/librt-2.12.so
7fc2b5ae9000-7fc2b5aea000 r--p 00006000 08:03 1310859                    /lib64/librt-2.12.so
7fc2b5aea000-7fc2b5aeb000 rw-p 00007000 08:03 1310859                    /lib64/librt-2.12.so
7fc2b5aeb000-7fc2b5b27000 r-xp 00000000 08:03 918662                     /opt/pcre/lib/libpcre.so.0.0.1
7fc2b5b27000-7fc2b5d26000 ---p 0003c000 08:03 918662                     /opt/pcre/lib/libpcre.so.0.0.1
7fc2b5d26000-7fc2b5d27000 rw-p 0003b000 08:03 918662                     /opt/pcre/lib/libpcre.so.0.0.1
7fc2b5d27000-7fc2b5d66000 r-xp 00000000 08:03 1968266                    /usr/lib64/libjpeg.so.62.0.0
7fc2b5d66000-7fc2b5f66000 ---p 0003f000 08:03 1968266                    /usr/lib64/libjpeg.so.62.0.0
7fc2b5f66000-7fc2b5f67000 rw-p 0003f000 08:03 1968266                    /usr/lib64/libjpeg.so.62.0.0
7fc2b5f67000-7fc2b5f77000 rw-p 00000000 00:00 0 
7fc2b5f77000-7fc2b5f9c000 r-xp 00000000 08:03 1971836                    /usr/lib64/libpng12.so.0.49.0
7fc2b5f9c000-7fc2b619c000 ---p 00025000 08:03 1971836                    /usr/lib64/libpng12.so.0.49.0
7fc2b619c000-7fc2b619d000 rw-p 00025000 08:03 1971836                    /usr/lib64/libpng12.so.0.49.0
7fc2b619d000-7fc2b61ae000 r-xp 00000000 08:03 1973175                    /usr/lib64/libXpm.so.4.11.0
7fc2b61ae000-7fc2b63ad000 ---p 00011000 08:03 1973175                    /usr/lib64/libXpm.so.4.11.0
7fc2b63ad000-7fc2b63ae000 rw-p 00010000 08:03 1973175                    /usr/lib64/libXpm.so.4.11.0
7fc2b63ae000-7fc2b64e5000 r-xp 00000000 08:03 1973165                    /usr/lib64/libX11.so.6.3.0
7fc2b64e5000-7fc2b66e5000 ---p 00137000 08:03 1973165                    /usr/lib64/libX11.so.6.3.0
7fc2b66e5000-7fc2b66eb000 rw-p 00137000 08:03 1973165                    /usr/lib64/libX11.so.6.3.0
7fc2b66eb000-7fc2b66f7000 r-xp 00000000 08:03 1310887                    /lib64/libpam.so.0.82.2
7fc2b66f7000-7fc2b68f7000 ---p 0000c000 08:03 1310887                    /lib64/libpam.so.0.82.2
7fc2b68f7000-7fc2b68f8000 r--p 0000c000 08:03 1310887                    /lib64/libpam.so.0.82.2
7fc2b68f8000-7fc2b68f9000 rw-p 0000d000 08:03 1310887                    /lib64/libpam.so.0.82.2
7fc2b68f9000-7fc2b695a000 r-xp 00000000 08:03 1971669                    /usr/lib64/libssl.so.1.0.1e
7fc2b695a000-7fc2b6b59000 ---p 00061000 08:03 1971669                    /usr/lib64/libssl.so.1.0.1e
7fc2b6b59000-7fc2b6b5d000 r--p 00060000 08:03 1971669                    /usr/lib64/libssl.so.1.0.1e
7fc2b6b5d000-7fc2b6b64000 rw-p 00064000 08:03 1971669                    /usr/lib64/libssl.so.1.0.1e
7fc2b6b64000-7fc2b6d19000 r-xp 00000000 08:03 1971667                    /usr/lib64/libcrypto.so.1.0.1e
7fc2b6d19000-7fc2b6f19000 ---p 001b5000 08:03 1971667                    /usr/lib64/libcrypto.so.1.0.1e
7fc2b6f19000-7fc2b6f34000 r--p 001b5000 08:03 1971667                    /usr/lib64/libcrypto.so.1.0.1e
7fc2b6f34000-7fc2b6f40000 rw-p 001d0000 08:03 1971667                    /usr/lib64/libcrypto.so.1.0.1e
7fc2b6f40000-7fc2b6f44000 rw-p 00000000 00:00 0 
7fc2b6f44000-7fc2b6f4d000 r-xp 00000000 08:03 1972944                    /usr/lib64/libltdl.so.7.2.1
7fc2b6f4d000-7fc2b714c000 ---p 00009000 08:03 1972944                    /usr/lib64/libltdl.so.7.2.1
7fc2b714c000-7fc2b714d000 rw-p 00008000 08:03 1972944                    /usr/lib64/libltdl.so.7.2.1
7fc2b714d000-7fc2b7177000 r-xp 00000000 08:03 919321                     /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fc2b7177000-7fc2b7376000 ---p 0002a000 08:03 919321                     /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fc2b7376000-7fc2b737a000 rw-p 00029000 08:03 919321                     /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fc2b737a000-7fc2b737f000 rw-p 00000000 00:00 0 
7fc2b737f000-7fc2b7386000 r-xp 00000000 08:03 1310755                    /lib64/libcrypt-2.12.so
7fc2b7386000-7fc2b7586000 ---p 00007000 08:03 1310755                    /lib64/libcrypt-2.12.so
7fc2b7586000-7fc2b7587000 r--p 00007000 08:03 1310755                    /lib64/libcrypt-2.12.so
7fc2b7587000-7fc2b7588000 rw-p 00008000 08:03 1310755                    /lib64/libcrypt-2.12.so
7fc2b7588000-7fc2b75b6000 rw-p 00000000 00:00 0 
7fc2b75b6000-7fc2b75d6000 r-xp 00000000 08:03 1310735                    /lib64/ld-2.12.so
7fc2b7628000-7fc2b7779000 rw-p 00000000 00:00 0 
7fc2b77ba000-7fc2b77cb000 rw-p 00000000 00:00 0 
7fc2b77d4000-7fc2b77d5000 rw-p 00000000 00:00 0 
7fc2b77d5000-7fc2b77d6000 r--p 0001f000 08:03 1310735                    /lib64/ld-2.12.so
7fc2b77d6000-7fc2b77d7000 rw-p 00020000 08:03 1310735                    /lib64/ld-2.12.so
7fc2b77d7000-7fc2b77d8000 rw-p 00000000 00:00 0 
7fff42aa1000-7fff42ab6000 rw-p 00000000 00:00 0                          [stack]
7fff42bd9000-7fff42bda000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
I've ran multiple Scans on all accounts and it found a few issues, But this thing is still happening.
It goes from one account then another account. And it's spreading...

How do I clean it out? If I restored a backup of the accounts, Would it fix it?

Thanks.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Otávio Serra lfd - Suspicious process running under user nobody Security 5
eventtex LFD - Suspicious process running under user postgres Security 7
J lfd on server.com: Suspicious process running under user username Security 6
D Suspicious process running under user * Security 1
C LFD Suspicious process running under user Security 4
Similar threads
lfd - Suspicious process running under user nobody
LFD - Suspicious process running under user postgres
lfd on server.com: Suspicious process running under user username
Suspicious process running under user *
LFD Suspicious process running under user
Top Bottom