Strange error messages: lfd: Suspicious process running under user
I realize that this is probably a very common WHM/CSF question, but I can't find an answer using search or Google search.
I receive emails from my root account at random times for a particular user who has SpamAssassin enabled (other users do not).
Typical content is shown below. If you are about to tell me how to suppress these messages, I already know. I want to know if I should suppress these messages. A working program should not produce error messages.
If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?
If you are about to tell me that these messages are produced because the OS or CPanel is automatically updated, I doubt that because I can receive two such messages in one day, and update happens at most once per day.
There are no tools to use to find out what SpamAssasin was doing at the time of the error message, as far as I can tell. This error might be a bug in SpamAssassin--again, hard to believe.
I'm sure many administrators like me get these messages, but there doesn't seem to be a good explanation for why the spamd process should become wedged. Again, a good program should not become wedged. Is this a CSF/LFD bug? This would be hard to believe, since I've seen this for years. Someone reading this should be able to point me to a good and complete discussion, yes?
Thanks in advance for some good information on this.
Typical email message:
David Spector Springtime Software
Subject: lfd: Suspicious process running under user ****
----
Time: Sun Sep 15 04:09:14 2013 -0400
PID: 5268 (Parent PID:20849)
Account: ****
Uptime: 72674 seconds
Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:44587
udp: :61573 -> :53
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/local/cpanel/3rdparty/perl/514/bin/spamd
/home/asc/.spamassassin/bayes_toks
/home/asc/.spamassassin/bayes_seen
Memory maps by the process (if any):
08048000-08049000 r-xp 00000000 00:1c 180080750 /usr/local/cpanel/3rdparty/perl/514/bin/perl
08049000-0804a000 rw-p 00000000 00:1c 180080750 /usr/local/cpanel/3rdparty/perl/514/bin/perl
09321000-09cf2000 rw-p 00000000 00:00 0
09cf2000-0ad98000 rw-p 00000000 00:00 0
0ad98000-0b39c000 rw-p 00000000 00:00 0
b6ccb000-b6ce8000 r-xp 00000000 00:1c 113197104 /lib/libselinux.so.1
b6ce8000-b6ce9000 r--p 0001c000 00:1c 113197104 /lib/libselinux.so.1
b6ce9000-b6cea000 rw-p 0001d000 00:1c 113197104 /lib/libselinux.so.1
b6cea000-b6cf4000 r-xp 00000000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf4000-b6cf5000 r--p 00009000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf5000-b6cf6000 rw-p 0000a000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf6000-b6d0b000 r-xp 00000000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0b000-b6d0c000 ---p 00015000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0c000-b6d0d000 r--p 00015000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0d000-b6d0e000 rw-p 00016000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0e000-b6d10000 rw-p 00000000 00:00 0
b6d10000-b6d38000 r-xp 00000000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d38000-b6d39000 r--p 00028000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d39000-b6d3a000 rw-p 00029000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d3a000-b6d3b000 rw-p 00000000 00:00 0
b6d3b000-b6d3e000 r-xp 00000000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d3e000-b6d3f000 r--p 00002000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d3f000-b6d40000 rw-p 00003000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d40000-b6e16000 r-xp 00000000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e16000-b6e1c000 r--p 000d5000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e1c000-b6e1d000 rw-p 000db000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e1d000-b6e5b000 r-xp 00000000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e5b000-b6e5c000 r--p 0003e000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e5c000-b6e5d000 rw-p 0003f000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e67000-b6ebb000 r-xp 00000000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ebb000-b6ebd000 r--p 00054000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ebd000-b6ec0000 rw-p 00056000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ec0000-b6ed2000 r-xp 00000000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed2000-b6ed3000 r--p 00011000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed3000-b6ed4000 rw-p 00012000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed4000-b6ed6000 r-xp 00000000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed6000-b6ed7000 r--p 00001000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed7000-b6ed8000 rw-p 00002000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed8000-b6edd000 r-xp 00000000 00:1c 182190428 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
b6edd000-b6ede000 rw-p 00004000 00:1c 182190428 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
b6ede000-b7053000 r-xp 00000000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7053000-b7054000 ---p 00175000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7054000-b7062000 r--p 00175000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7062000-b7068000 rw-p 00183000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7068000-b706b000 rw-p 00000000 00:00 0
b706b000-b7070000 r-xp 00000000 00:1c 182175750 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
b7070000-b7071000 rw-p 00004000 00:1c 182175750 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
b7071000-b709f000 r-xp 00000000 00:1c 182207337 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
b709f000-b70a0000 rw-p 0002d000 00:1c 182207337 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
b70a0000-b70dd000 rw-p 00000000 00:00 0
b70dd000-b7250000 r-xp 00000000 00:1c 114213574 (deleted)/lib/libdb-4.7.so
b7250000-b7253000 rw-p 00172000 00:1c 114213574 (deleted)/lib/libdb-4.7.so
b7253000-b725c000 r-xp 00000000 00:1c 180863399 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
b725c000-b725d000 rw-p 00008000 00:1c 180863399 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
b725d000-b7269000 r-xp 00000000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b7269000-b726a000 r--p 0000b000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b726a000-b726b000 rw-p 0000c000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b726c000-b726f000 r-xp 00000000 00:1c 181092405 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
b726f000-b7270000 rw-p 00002000 00:1c 181092405 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
b7270000-b7274000 r-xp 00000000 00:1c 180080775 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
b7274000-b7275000 rw-p 00004000 00:1c 180080775 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
b7275000-b7277000 r-xp 00000000 00:1c 180863343 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
b7277000-b7278000 rw-p 00002000 00:1c 180863343 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
b7278000-b727a000 r-xp 00000000 00:1c 180453974 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
b727a000-b727b000 rw-p 00001000 00:1c 180453974 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
b727b000-b7281000 r-xp 00000000 00:1c 180456427 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
b7281000-b7282000 rw-p 00005000 00:1c 180456427 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
b7282000-b72b3000 r-xp 00000000 00:1c 114213599 /lib/libidn.so.11.6.1
b72b3000-b72b4000 rw-p 00030000 00:1c 114213599 /lib/libidn.so.11.6.1
b72b4000-b72bd000 r-xp 00000000 00:1c 180863122 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
b72bd000-b72be000 rw-p 00008000 00:1c 180863122 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
b72be000-b72c2000 r-xp 00000000 00:1c 182174498 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
b72c2000-b72c3000 rw-p 00003000 00:1c 182174498 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
b72c3000-b72c9000 r-xp 00000000 00:1c 180456489 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
b72c9000-b72ca000 rw-p 00005000 00:1c 180456489 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
b72ca000-b72cb000 r-xp 00000000 00:1c 181076441 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
b72cb000-b72cc000 rw-p 00001000 00:1c 181076441 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
b72cc000-b72d4000 r-xp 00000000 00:1c 181076260 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
b72d4000-b72d5000 rw-p 00007000 00:1c 181076260 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
b72d5000-b72d9000 r-xp 00000000 00:1c 181092486 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
b72d9000-b72da000 rw-p 00003000 00:1c 181092486 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
b72da000-b72dd000 r-xp 00000000 00:1c 180079348 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
b72dd000-b72de000 rw-p 00002000 00:1c 180079348 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
b72de000-b72e0000 r-xp 00000000 00:1c 180456415 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
b72e0000-b72e1000 rw-p 00001000 00:1c 180456415 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
b72e1000-b72f8000 r-xp 00000000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72f8000-b72f9000 r--p 00016000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72f9000-b72fa000 rw-p 00017000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72fa000-b72fc000 rw-p 00000000 00:00 0
b72fc000-b7303000 r-xp 00000000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7303000-b7304000 r--p 00006000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7304000-b7305000 rw-p 00007000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7305000-b7309000 r-xp 00000000 00:1c 180456420 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
b7309000-b730a000 rw-p 00003000 00:1c 180456420 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
b730a000-b731b000 r-xp 00000000 00:1c 180079361 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
b731b000-b731d000 rw-p 00010000 00:1c 180079361 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
b731d000-b731f000 r-xp 00000000 00:1c 180079347 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
b731f000-b7320000 rw-p 00002000 00:1c 180079347 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
b7320000-b7324000 r-xp 00000000 00:1c 181108971 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
b7324000-b7325000 rw-p 00003000 00:1c 181108971 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
b7325000-b736a000 r-xp 00000000 00:1c 180079546 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
b736a000-b736b000 rw-p 00045000 00:1c 180079546 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
b736b000-b736c000 rw-p 00000000 00:00 0
b736c000-b73bb000 r-xp 00000000 00:1c 113197060 /lib/libfreebl3.so
b73bb000-b73bc000 r--p 0004e000 00:1c 113197060 /lib/libfreebl3.so
b73bc000-b73bd000 rw-p 0004f000 00:1c 113197060 /lib/libfreebl3.so
b73bd000-b73c2000 rw-p 00000000 00:00 0
b73c2000-b7552000 r-xp 00000000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7552000-b7553000 ---p 00190000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7553000-b7555000 r--p 00190000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7555000-b7556000 rw-p 00192000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7556000-b7559000 rw-p 00000000 00:00 0
b7559000-b755b000 r-xp 00000000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755b000-b755c000 r--p 00001000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755c000-b755d000 rw-p 00002000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755d000-b7564000 r-xp 00000000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7564000-b7565000 r--p 00007000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7565000-b7566000 rw-p 00008000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7566000-b758d000 rw-p 00000000 00:00 0
b758d000-b75b5000 r-xp 00000000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b5000-b75b6000 r--p 00027000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b6000-b75b7000 rw-p 00028000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b7000-b75ba000 r-xp 00000000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75ba000-b75bb000 r--p 00002000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75bb000-b75bc000 rw-p 00003000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75bc000-b75bd000 rw-p 00000000 00:00 0
b75bd000-b75d4000 r-xp 00000000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d4000-b75d5000 r--p 00016000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d5000-b75d6000 rw-p 00017000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d6000-b75d8000 rw-p 00000000 00:00 0
b75d8000-b76de000 r-xp 00000000 00:1c 180079184 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
b76de000-b76e3000 rw-p 00106000 00:1c 180079184 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
b76e3000-b76e9000 r-xp 00000000 00:1c 184713546 /usr/lib/libgdbm.so.2.0.0
b76e9000-b76ea000 rw-p 00005000 00:1c 184713546 /usr/lib/libgdbm.so.2.0.0
b76ea000-b76ed000 r-xp 00000000 00:1c 180453990 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
b76ed000-b76ee000 rw-p 00002000 00:1c 180453990 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
b76ee000-b76f3000 r-xp 00000000 00:1c 180079534 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
b76f3000-b76f4000 rw-p 00005000 00:1c 180079534 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
b76f4000-b76f5000 rw-p 00000000 00:00 0
b76f5000-b76f6000 r-xp 00000000 00:00 0 [vdso]
b76f6000-b7714000 r-xp 00000000 00:1c 113197061 (deleted)/lib/ld-2.12.so
b7714000-b7715000 r--p 0001d000 00:1c 113197061 (deleted)/lib/ld-2.12.so
b7715000-b7716000 rw-p 0001e000 00:1c 113197061 (deleted)/lib/ld-2.12.so
bfbd8000-bfc19000 rw-p 00000000 00:00 0 [stack]
----
David Spector Springtime Software
-
The people responsible for supporting csf/lfd are it's developers, configserver. Their forum is at [url=http://forum.configserver.com]ConfigServer Scripts Community Forum • Index page The specific issue is referred to [url=http://forum.configserver.com/viewtopic.php?f=6&t=2059]ConfigServer Scripts Community Forum • View topic - Process Tracking and csf.pignore and [url=http://forum.configserver.com/viewtopic.php?f=6&t=4626&p=14661&hilit=spamd+child#p14661]ConfigServer Scripts Community Forum • View topic - Suspicious process running and Excessive resource usage as well as others 0 -
[quote="david364, post: 1462241">If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?
Hello :) CSF provides an interface for Web Host Manager with it's plugin. This is not developed by cPanel/WHM. The posts in the last response should be useful, but you are welcome to make this thread here as well and gather feedback from other users. Thank you.0 -
SpamAssassin often stays running long enough for CSF to see it as a long running process. This is not necessarily a bad thing. On my own systems, I whitelist it in /etc/csf/csf.pignore by adding: cmd:spamd child
Be sure to restart both CSF and LFD:/etc/init.d/lfd restart ; csf -r
0 -
I got same error today. Should I worry? 0 -
There is nothing to worry. It's simple lfd notification. Your perl script tooks some time to execute because of that you received that message. /usr/local/cpanel/3rdparty/perl/514/bin/perl You can add above perl script in pingnore of csf. 0 -
Hi I'm also getting lot emails for all accounts on the server Here it is bit different as it tries to connect to some different ip. Executable: /usr/bin/perl Command Line (often faked in exploits): gnome-pty-helper Network connections by the process (if any): tcp: ***.**.**.**:33078 -> 209.92.176.13:80 Files open by the process (if any): Memory maps by the process (if any): 00110000-00118000 r-xp 00000000 08:08 1537102 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so 00118000-00119000 rw-p 00008000 08:08 1537102 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so 00398000-00399000 r-xp 00398000 00:00 0 [vdso] 00bfd000-00c01000 r-xp 00000000 08:08 1522375 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so 00c01000-00c02000 rw-p 00003000 08:08 1522375 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so 00c9d000-00cae000 r-xp 00000000 08:02 164170 /lib/libresolv-2.5.so 00cae000-00caf000 r--p 00010000 08:02 164170 /lib/libresolv-2.5.so 00caf000-00cb0000 rw-p 00011000 08:02 164170 /lib/libresolv-2.5.so 00cb0000-00cb2000 rw-p 00cb0000 00:00 0 03313000-03315000 r-xp 00000000 08:02 164173 /lib/libutil-2.5.so 03315000-03316000 r--p 00001000 08:02 164173 /lib/libutil-2.5.so 03316000-03317000 rw-p 00002000 08:02 164173 /lib/libutil-2.5.so 08048000-0804b000 r-xp 00000000 08:08 1668730 /usr/bin/perl 0804b000-0804c000 rw-p 00002000 08:08 1668730 /usr/bin/perl 08502000-08711000 rw-p 08502000 00:00 0 [heap] b7f82000-b7fa6000 rw-p b7f82000 00:00 0 b7fb0000-b7fb1000 rw-p b7fb0000 00:00 0 bfcae000-bfcc3000 rw-p bffe9000 00:00 0 [stack]
0 -
That looks pretty suspicious mimran, I'd be investigating that process and remote IP address. 0 -
It looks like some one installed SUCRACK Script for brute force su psw attack on the system, I have by mistake removed python and the whole server crashed, now I have to re-install everything from backup I hope everything will be restored normally. Can any one suggest me how one can install this script when the ssh is disabled for all except root user via su, and only wheelgroup user can login. Please provide some system hardening tips. Thank you. 0
Please sign in to leave a comment.
Comments
8 comments