The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user

Discussion in 'Security' started by mk2mark, Mar 30, 2015.

  1. mk2mark

    mk2mark Member

    Joined:
    Mar 6, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Normally I can figure out what these mean, but this one has me stumped. Am I secure?

    Executable:

    /usr/bin/php


    Command Line (often faked in exploits):

    /usr/bin/php /home/apple509/public_html/index.php


    Network connections by the process (if any):

    tcp: {server IP}:50181 -> 157.56.177.100:80


    Files open by the process (if any):



    Memory maps by the process (if any):

    00400000-00d31000 r-xp 00000000 09:03 672524 /usr/bin/php
    00f31000-00ff7000 rw-p 00931000 09:03 672524 /usr/bin/php
    00ff7000-0101a000 rw-p 00000000 00:00 0
    016f3000-04edd000 rw-p 00000000 00:00 0 [heap]
    7f12acdfe000-7f12aceff000 rw-p 00000000 00:00 0
    7f12acfb6000-7f12acfbb000 r-xp 00000000 09:03 3407898 /lib64/libnss_dns-2.12.so
    7f12acfbb000-7f12ad1ba000 ---p 00005000 09:03 3407898 /lib64/libnss_dns-2.12.so
    7f12ad1ba000-7f12ad1bb000 r--p 00004000 09:03 3407898 /lib64/libnss_dns-2.12.so
    7f12ad1bb000-7f12ad1bc000 rw-p 00005000 09:03 3407898 /lib64/libnss_dns-2.12.so
    ....

    The list goes on for quite a bit. Any help much appreciated.
     
    #1 mk2mark, Mar 30, 2015
    Last edited by a moderator: Mar 31, 2015
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Whats going on with the index.php? RSS feed connecting to something microsoft (157.56.177.100) and timing out, maybe?

    The email is from CSF/LFD.
     
  3. mk2mark

    mk2mark Member

    Joined:
    Mar 6, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That seems pretty plausible. This is a wordpress site, so index.php is a rabbit trail into other files. What's the easiest way to track the cause?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You can find a few threads regarding this alert on the CSF/LFD forums. Here is an example of what to search for on Google:

    Code:
    "Network connections by the process" site:forum.configserver.com
    Thank you.
     
Loading...

Share This Page