what is ./scan 1.74 user.txt pass 700 in Process Manager

3awh

• June 25, 2022 00:44

Saw this in process manager [ ./scan 1.74 user.txt pass 700 ] What is it?

• 

  cPanelWilliam

  • June 28, 2022 14:13

  Hello! At first glance, that process appears like it could be spawned from a custom script. If the process is still running, you can use a command such as lsof -p PID
  (replace PID with the PID of the process from the process manager) to gather more information about which files the process is using. This can be useful to help track down how the process was spawned.

  0
• 

  3awh

  • June 28, 2022 17:51

  this is partially what I got looks like a bot script lsof -p 1291988 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cip1 1291988 root cwd DIR 253,0 4096 77373 /usr/local/share/. /sx cip1 1291988 root rtd DIR 253,0 4096 128 / cip1 1291988 root txt REG 253,0 38000 738669 /usr/local/share/. /sx/cip1 cip1 1291988 root mem REG 253,0 2089152 67382262 /usr/lib64/libc-2.28.so cip1 1291988 root mem REG 253,0 149976 68686438 /usr/lib64/libpthread-2.28.so cip1 1291988 root mem REG 253,0 1105784 67382244 /usr/lib64/ld-2.28.so cip1 1291988 root 0u CHR 136,2 0t0 5 /dev/pts/2 cip1 1291988 root 1u CHR 136,2 0t0 5 /dev/pts/2 cip1 1291988 root 2u CHR 136,2 0t0 5 /dev/pts/2 cip1 1291988 root 3r REG 253,0 35534860 1354885 /usr/local/share/. /sx/1.74 cip1 1291988 root 4u IPv4 44952156 0t0 TCP jds1.XXXXXXwebhosting.com:55684->s805.sureserver.com:submission (ESTABLISHED) cip1 1291988 root 5u IPv4 44959131 0t0 TCP jds1.XXXXXXwebhosting.com:50392->89.183.238.213.static.cenuta.com:submission (SYN_SENT) cip1 1291988 root 6u IPv4 44956278 0t0 TCP jds1.XXXXXXwebhosting.com:48874->XXXXXXta2.sinc.cl:submission (SYN_SENT) cip1 1291988 root 7u IPv4 44952732 0t0 TCP jds1.XXXXXXwebhosting.com:45112->server1.XXXXXX.la:submission (SYN_SENT) cip1 1291988 root 8u IPv4 44969249 0t0 TCP jds1.XXXXXXwebhosting.com:49636->81.68.xxx.xxx:submission (ESTABLISHED) cip1 1291988 root 9u IPv4 44956292 0t0 TCP jds1.XXXXXXwebhosting.com:60082->argentina30.networktechinternational.com:submission (SYN_SENT) cip1 1291988 root 10u IPv4 44969163 0t0 TCP jds1.XXXXXXwebhosting.com:38972->ns1.XXXXXXahost.com:submission (SYN_SENT) cip1 1291988 root 11u IPv4 44962685 0t0 TCP jds1.XXXXXXwebhosting.com:49494->bluepacific.oceania.com.au:submission (SYN_SENT) cip1 1291988 root 12u IPv4 44955423 0t0 TCP jds1.XXXXXXwebhosting.com:50686->ns7.yourpracticeonline.info:submission (SYN_SENT) cip1 1291988 root 13u IPv4 44969081 0t0 TCP jds1.XXXXXXwebhosting.com:42360->koti03.XXXXXX:submission (SYN_SENT) cip1 1291988 root 14u IPv4 44968357 0t0 TCP jds1.XXXXXXwebhosting.com:33906->XXXXXX.fi:submission (SYN_SENT) cip1 1291988 root 15u IPv4 44957160 0t0 TCP jds1.XXXXXXwebhosting.com:35122->XXXXXX-5.web-hosting.com:submission (SYN_SENT) cip1 1291988 root 16u IPv4 44913373 0t0 TCP jds1.XXXXXXwebhosting.com:38100->mailfront3.XXXXXX.loopia.se:submission (SYN_SENT) cip1 1291988 root 17u IPv4 44958139 0t0 TCP jds1.XXXXXXwebhosting.com:42608->mta-01.webnode.com:submission (SYN_SENT) cip1 1291988 root 18u IPv4 44956335 0t0 TCP jds1.XXXXXXwebhosting.com:38774->mailfront3.XXXXXX.loopia.se:submission (SYN_SENT) cip1 1291988 root 19u IPv4 44956279 0t0 TCP jds1.XXXXXXwebhosting.com:54712->thor.XXXXXX.com.au:submission (SYN_SENT) cip1 1291988 root 20u IPv4 44958143 0t0 TCP jds1.XXXXXXwebhosting.com:54782->XXXXXX.cz:submission (SYN_SENT) cip1 1291988 root 21u IPv4 44962628 0t0 TCP jds1.XXXXXXwebhosting.com:40532->host1.XXXXXX.eu:submission (ESTABLISHED) cip1 1291988 root 22u IPv4 44962463 0t0 TCP jds1.XXXXXXwebhosting.com:52860->posti.XXXXXX.fi:submission (SYN_SENT) cip1 1291988 root 23u IPv4 44962632 0t0 TCP jds1.XXXXXXwebhosting.com:49408->mail2.XXXXXX.com:submission (ESTABLISHED) cip1 1291988 root 24u IPv4 44969166 0t0 TCP jds1.XXXXXXwebhosting.com:45758->rcp-22.controlpanel.si:submission (SYN_SENT) cip1 1291988 root 25u IPv4 44969252 0t0 TCP jds1.XXXXXXwebhosting.com:33584->mta.XXXXXX.cloud:submission (ESTABLISHED) cip1 1291988 root 26u IPv4 44962633 0t0 TCP jds1.XXXXXXwebhosting.com:41588->mta-02.XXXXXX.com:submission (SYN_SENT) cip1 1291988 root 27u IPv4 44968353 0t0 TCP jds1.XXXXXXwebhosting.com:53794->srv25.benzahosting.cl:submission (SYN_SENT) cip1 1291988 root 28u IPv4 44961000 0t0 TCP jds1.XXXXXXwebhosting.com:44148->mail.XXXXXX.it:submission (SYN_SENT) cip1 1291988 root 29u IPv4 44968321 0t0 TCP jds1.XXXXXXwebhosting.com:33760->mail.aussiebroadband.com.au:submission (ESTABLISHED) cip1 1291988 root 30u IPv4 44969261 0t0 TCP jds1.XXXXXXwebhosting.com:34472->posti.XXXXXX:submission (SYN_SENT)

  0
• 

  kennysamuerto

  • June 29, 2022 17:16

  I would say that your server is being used to send spam. It looks like your server is a botnet, connecting to other servers with compromised accounts, and spamming them. I recommend you to check your server.

  0
• 

  3awh

  • June 29, 2022 17:29

  already have a tech cleaning and checking the server and hardening it thanks

  0

Please sign in to leave a comment.