Skip to main content

lfd reporting Suspicious process running under user

texas90
I am getting plenty of these reports from lfd. I don't know what they mean. Can anybody tell me what they mean? Thanks
Time: Fri Aug 21 13:21:47 2015 +0000 PID: 660804 (Parent PID:464171) Account: accountname Uptime: 87 seconds Executable: /usr/selector/php Command Line (often faked in exploits): /usr/bin/php Network connections by the process (if any): tcp: serverIP:58966 -> 208.78.70.28:25 tcp: serverIP:43553 -> 68.180.130.15:25 tcp: serverIP:58743 -> 216.239.34.10:25 tcp: serverIP:58535 -> 192.162.217.4:25 tcp: serverIP:43697 -> 193.252.22.65:25 tcp: serverIP:53717 -> 207.46.163.215:25 Files open by the process (if any): Memory maps by the process (if any): 00400000-00d52000 r-xp 00000000 08:03 5520411 /usr/selector/php 00f51000-01018000 rw-p 00951000 08:03 5520411 /usr/selector/php 01018000-0103c000 rw-p 00000000 00:00 002320000-025f6000 rw-p 00000000 00:00 0 [heap] 7f28e8000000-7f28e8021000 rw-p 00000000 00:00 0 7f28e8021000-7f28ec000000 ---p 00000000 00:00 0 7f28ee52f000-7f28ee778000 rw-p 00000000 00:00 0 7f28ee779000-7f28ee785000 r-xp 00000000 08:03 40370579 /lib64/libnss_files-2.12.so 7f28ee785000-7f28ee985000 ---p 0000c000 08:03 40370579 /lib64/libnss_files-2.12.so 7f28ee985000-7f28ee986000 r--p 0000c000 08:03 40370579 /lib64/libnss_files-2.12.so 7f28ee986000-7f28ee987000 rw-p 0000d000 08:03 40370579 /lib64/libnss_files-2.12.so 7f28ee987000-7f28ee99d000 r-xp 00000000 08:03 40370982 /lib64/libgcc_s-4.4.7- 20120601.so.1 7f28ee99d000-7f28eeb9c000 ---p 00016000 08:03 40370982 /lib64/libgcc_s-4.4.7-20120601.so.1 7f28eeb9c000-7f28eeb9d000 rw-p 00015000 08:03 40370982 /lib64/libgcc_s-4.4.7-20120601.so.1 7f28eeb9d000-7f28eeb9e000 ---p 00000000 00:00 0 7f28eeb9e000-7f28ef59e000 rwxp 00000000 00:00 0 7f28ef59e000-7f28ef5a4000 r-xp 00000000 08:03 5261057 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so 7f28ef5a4000-7f28ef7a4000 ---p 00006000 08:03 5261057 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so 7f28ef7a4000-7f28ef7a5000 rw-p 00006000 08:03 5261057 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so 7f28ef7a5000-7f28ef85d000 r-xp 00000000 08:03 5261058 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so 7f28ef85d000-7f28efa5c000 ---p 000b8000 08:03 5261058 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so 7f28efa5c000-7f28efa61000 rw-p 000b7000 08:03 5261058 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so 7f28efa61000-7f28efa77000 r-xp 00000000 08:03 5261056 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so 7f28efa77000-7f28efc77000 ---p 00016000 08:03 5261056 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so 7f28efc77000-7f28efc7a000 rw-p 00016000 08:03 5261056 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so 7f28efc7a000-7f28efd61000 r-xp 00000000 08:03 5520414 /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so 7f28efd61000-7f28efe60000 ---p 000e7000 08:03 5520414 /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so 7f28efe60000-7f28efe7d000 rw-p 000e6000 08:03 5520414 /usr/local/Zend/lib/Guard-6.0.0/php-5.4.x/ZendGuardLoader.so 7f28efe7d000-7f28efe81000 rw-p 00000000 00:00 0 7f28efe81000-7f28eff91000 r-xp 00000000 08:03 5520415 /usr/local/IonCube/ioncube_loader_lin_5.4.so 7f28eff91000-7f28f0090000 ---p 00110000 08:03 5520415 /usr/local/IonCube/ioncube_loader_lin_5.4.so 7f28f0090000-7f28f00a0000 rw-p 0010f000 08:03 5520415 /usr/local/IonCube/ioncube_loader_lin_5.4.so 7f28f00a0000-7f28f023d000 rw-p 00000000 00:00 0 7f28f023d000-7f28f038d000 r-xp 00000000 08:03 46924033 /opt/xml2/lib/libxml2.so.2.9.2 7f28f038d000-7f28f058c000 ---p 00150000 08:03 46924033 /opt/xml2/lib/libxml2.so.2.9.2 7f28f058c000-7f28f0596000 rw-p 0014f000 08:03 46924033 /opt/xml2/lib/libxml2.so.2.9.2 7f28f0596000-7f28f0598000 rw-p 00000000 00:00 0 7f28f0598000-7f28f05f5000 r-xp 00000000 08:03 46924302 /opt/curlssl/lib/libcurl.so.4.3.0 7f28f05f5000-7f28f07f4000 ---p 0005d000 08:03 46924302 /opt/curlssl/lib/libcurl.so.4.3.0 7f28f07f4000-7f28f07f7000 rw-p 0005c000 08:03 46924302 /opt/curlssl/lib/libcurl.so.4.3.0 7f28f07f7000-7f28f07fa000 rw-p 00000000 00:00 0 7f28f07fa000-7f28f083c000 r-xp 00000000 08:03 46923781 /opt/pcre/lib/libpcre.so.1.2.4 7f28f083c000-7f28f0a3c000 ---p 00042000 08:03 46923781 /opt/pcre/lib/libpcre.so.1.2.4 7f28f0a3c000-7f28f0a3d000 rw-p 00042000 08:03 46923781 /opt/pcre/lib/libpcre.so.1.2.4 7f28f0a3d000-7f28f0a41000 rw-p 00000000 00:00 0 7f28f0a41000-7f28f0a6b000 r-xp 00000000 08:03 46924686 /opt/libmcrypt/lib/libmcrypt.so.4.4.8 7f28f0a6b000-7f28f0c6a000 ---p 0002a000 08:03 46924686 /opt/libmcrypt/lib/libmcrypt.so.4.4.8 7f28f0c6a000-7f28f0c6e000 rw-p 00029000 08:03 46924686 /opt/libmcrypt/lib/libmcrypt.so.4.4.8 7f28f0c6e000-7f28f0c74000 rw-p 00000000 00:00 0 7f28f0c7e000-7f28f0c7f000 rw-p 00000000 00:00 0 7fff8455a000-7fff8456d000 rwxp 00000000 00:00 0 [stack] 7fff8456d000-7fff8456f000 rw-p 00000000 00:00 0 7fff845fe000-7fff84600000 r-xp 00000000 00:00 0 [vdso]

Comments

3 comments

Date Votes
  • Infopro
    You might want to take a closer look at that account. It seems to be attempting to connect to multiple mail servers, I think. Note the port mentioned :25
    Network connections by the process (if any): tcp: serverIP:58966 -> 208.78.70.28:25 tcp: serverIP:43553 -> 68.180.130.15:25 tcp: serverIP:58743 -> 216.239.34.10:25 tcp: serverIP:58535 -> 192.162.217.4:25 tcp: serverIP:43697 -> 193.252.22.65:25 tcp: serverIP:53717 -> 207.46.163.215:25
    0
  • texas90
    Why would an account want to connect to a remote mail server?
    0
  • Infopro
    No clue. Spamming?
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post