Skip to main content

Strange error messages: lfd: Suspicious process running under user

Comments

8 comments

  • ThinIce
    The people responsible for supporting csf/lfd are it's developers, configserver. Their forum is at [url=http://forum.configserver.com]ConfigServer Scripts Community Forum • Index page The specific issue is referred to [url=http://forum.configserver.com/viewtopic.php?f=6&t=2059]ConfigServer Scripts Community Forum • View topic - Process Tracking and csf.pignore and [url=http://forum.configserver.com/viewtopic.php?f=6&t=4626&p=14661&hilit=spamd+child#p14661]ConfigServer Scripts Community Forum • View topic - Suspicious process running and Excessive resource usage as well as others
    0
  • cPanelMichael
    [quote="david364, post: 1462241">If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?
    Hello :) CSF provides an interface for Web Host Manager with it's plugin. This is not developed by cPanel/WHM. The posts in the last response should be useful, but you are welcome to make this thread here as well and gather feedback from other users. Thank you.
    0
  • quizknows
    SpamAssassin often stays running long enough for CSF to see it as a long running process. This is not necessarily a bad thing. On my own systems, I whitelist it in /etc/csf/csf.pignore by adding: cmd:spamd child
    Be sure to restart both CSF and LFD: /etc/init.d/lfd restart ; csf -r
    0
  • webservers
    I got same error today. Should I worry?
    0
  • 24x7ss
    There is nothing to worry. It's simple lfd notification. Your perl script tooks some time to execute because of that you received that message. /usr/local/cpanel/3rdparty/perl/514/bin/perl You can add above perl script in pingnore of csf.
    0
  • mimran
    Hi I'm also getting lot emails for all accounts on the server Here it is bit different as it tries to connect to some different ip. Executable: /usr/bin/perl Command Line (often faked in exploits): gnome-pty-helper Network connections by the process (if any): tcp: ***.**.**.**:33078 -> 209.92.176.13:80 Files open by the process (if any): Memory maps by the process (if any): 00110000-00118000 r-xp 00000000 08:08 1537102 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so 00118000-00119000 rw-p 00008000 08:08 1537102 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so 00398000-00399000 r-xp 00398000 00:00 0 [vdso] 00bfd000-00c01000 r-xp 00000000 08:08 1522375 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so 00c01000-00c02000 rw-p 00003000 08:08 1522375 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so 00c9d000-00cae000 r-xp 00000000 08:02 164170 /lib/libresolv-2.5.so 00cae000-00caf000 r--p 00010000 08:02 164170 /lib/libresolv-2.5.so 00caf000-00cb0000 rw-p 00011000 08:02 164170 /lib/libresolv-2.5.so 00cb0000-00cb2000 rw-p 00cb0000 00:00 0 03313000-03315000 r-xp 00000000 08:02 164173 /lib/libutil-2.5.so 03315000-03316000 r--p 00001000 08:02 164173 /lib/libutil-2.5.so 03316000-03317000 rw-p 00002000 08:02 164173 /lib/libutil-2.5.so 08048000-0804b000 r-xp 00000000 08:08 1668730 /usr/bin/perl 0804b000-0804c000 rw-p 00002000 08:08 1668730 /usr/bin/perl 08502000-08711000 rw-p 08502000 00:00 0 [heap] b7f82000-b7fa6000 rw-p b7f82000 00:00 0 b7fb0000-b7fb1000 rw-p b7fb0000 00:00 0 bfcae000-bfcc3000 rw-p bffe9000 00:00 0 [stack]
    0
  • quizknows
    That looks pretty suspicious mimran, I'd be investigating that process and remote IP address.
    0
  • mimran
    It looks like some one installed SUCRACK Script for brute force su psw attack on the system, I have by mistake removed python and the whole server crashed, now I have to re-install everything from backup I hope everything will be restored normally. Can any one suggest me how one can install this script when the ssh is disabled for all except root user via su, and only wheelgroup user can login. Please provide some system hardening tips. Thank you.
    0

Please sign in to leave a comment.