LFD suspicious processes email

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
Erik
Junior Member
Posts: 4
Joined: 21 Dec 2006, 18:43

LFD suspicious processes email

Post by Erik »

hi configserver,

My mailbox is getting flooded with warnings about suspicious proccesses running on my server.However this is false that process is not malicious and normal ......
Time: Thu Jan 11 12:14:43 2007
PID: 27948
Account: ************
Uptime: 67 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php cron.php


Network connections by the process (if any):

udp: 72.36.251.250:33750 -> 72.36.190.2:53 <<-- this my host nameserver


Files open by the process (if any):

/usr/local/apache/logs/error_log


Memory maps by the process (if any):

00101000-00215000 r-xp 00000000 08:03 12619204 /usr/lib/libmysqlclient.so.15.0.0
00215000-00257000 rwxp 00113000 08:03 12619204 /usr/lib/libmysqlclient.so.15.0.0
00257000-00258000 rwxp 00257000 00:00 0
00258000-00377000 r-xp 00000000 08:03 5079071 /lib/libcrypto.so.0.9.8a
00377000-0038a000 rwxp 0011e000 08:03 5079071 /lib/libcrypto.so.0.9.8a
0038a000-0038d000 rwxp 0038a000 00:00 0
0038d000-0038f000 r-xp 00000000 08:03 13074526 /usr/local/Zend/lib/ZendExtensionManager.so
0038f000-00390000 rwxp 00002000 08:03 13074526 /usr/local/Zend/lib/ZendExtensionManager.so
003d9000-0041d000 r-xp 00000000 08:03 13240765 /usr/local/ioncube/ioncube_loader_lin_4.4.so
0041d000-00422000 rwxp 00043000 08:03 13240765 /usr/local/ioncube/ioncube_loader_lin_4.4.so
00422000-00503000 r-xp 00000000 08:03 13240748 /usr/local/Zend/lib/Optimizer-3.0.1/php-4.4.x/ZendOptimizer.so
00503000-00510000 rwxp 000e1000 08:03 13240748 /usr/local/Zend/lib/Optimizer-3.0.1/php-4.4.x/ZendOptimizer.so
00510000-00514000 rwxp 00510000 00:00 0
0065e000-00677000 r-xp 00000000 08:03 5079102 /lib/ld-2.4.so
00677000-00678000 r-xp 00018000 08:03 5079102 /lib/ld-2.4.so
00678000-00679000 rwxp 00019000 08:03 5079102 /lib/ld-2.4.so
0067b000-007a8000 r-xp 00000000 08:03 5080529 /lib/libc-2.4.so
007a8000-007aa000 r-xp 0012d000 08:03 5080529 /lib/libc-2.4.so
007aa000-007ab000 rwxp 0012f000 08:03 5080529 /lib/libc-2.4.so
007ab000-007ae000 rwxp 007ab000 00:00 0
007b0000-007b2000 r-xp 00000000 08:03 5079261 /lib/libdl-2.4.so
007b2000-007b3000 r-xp 00001000 08:03 5079261 /lib/libdl-2.4.so
007b3000-007b4000 rwxp 00002000 08:03 5079261 /lib/libdl-2.4.so
007b6000-007d9000 r-xp 00000000 08:03 5080533 /lib/libm-2.4.so
007d9000-007da000 r-xp 00022000 08:03 5080533 /lib/libm-2.4.so
007da000-007db000 rwxp 00023000 08:03 5080533 /lib/libm-2.4.so
007dd000-007ef000 r-xp 00000000 08:03 12624814 /usr/lib/libz.so.1.2.3
007ef000-007f0000 rwxp 00011000 08:03 12624814 /usr/lib/libz.so.1.2.3
00808000-00829000 r-xp 00000000 08:03 12619304 /usr/lib/libjpeg.so.62.0.0
00829000-0082a000 rwxp 00020000 08:03 12619304 /usr/lib/libjpeg.so.62.0.0
0082c000-00831000 r-xp 00000000 08:03 12619510 /usr/lib/libXdmcp.so.6.0.0
00831000-00832000 rwxp 00004000 08:03 12619510 /usr/lib/libXdmcp.so.6.0.0
00834000-00836000 r-xp 00000000 08:03 12619516 /usr/lib/libXau.so.6.0.0
00836000-00837000 rwxp 00001000 08:03 12619516 /usr/lib/libXau.so.6.0.0
00839000-00860000 r-xp 00000000 08:03 12622118 /usr/lib/libpng12.so.0.1.2.8
00860000-00861000 rwxp 00026000 08:03 12622118 /usr/lib/libpng12.so.0.1.2.8
00869000-0087b000 r-xp 00000000 08:03 5080526 /lib/libnsl-2.4.so
0087b000-0087c000 r-xp 00011000 08:03 5080526 /lib/libnsl-2.4.so
0087c000-0087d000 rwxp 00012000 08:03 5080526 /lib/libnsl-2.4.so
0087d000-0087f000 rwxp 0087d000 00:00 0
00881000-00886000 r-xp 00000000 08:03 5079272 /lib/libcrypt-2.4.so
00886000-00887000 r-xp 00004000 08:03 5079272 /lib/libcrypt-2.4.so
00887000-00888000 rwxp 00005000 08:03 5079272 /lib/libcrypt-2.4.so
00888000-008af000 rwxp 00888000 00:00 0
008b1000-008e4000 r-xp 00000000 08:03 12621919 /usr/lib/libcurl.so.3.0.0
008e4000-008e5000 rwxp 00032000 08:03 12621919 /usr/lib/libcurl.so.3.0.0
00917000-00918000 r-xp 00917000 00:00 0 [vdso]
009e8000-009f3000 r-xp 00000000 08:03 5079073 /lib/libgcc_s-4.1.1-20060525.so.1
009f3000-009f4000 rwxp 0000a000 08:03 5079073 /lib/libgcc_s-4.1.1-20060525.so.1
009f6000-00ad8000 r-xp 00000000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00ad8000-00adc000 r-xp 000e1000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00adc000-00add000 rwxp 000e5000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00add000-00ae3000 rwxp 00add000 00:00 0
00ae5000-00ae7000 r-xp 00000000 08:03 5079098 /lib/libcom_err.so.2.1
00ae7000-00ae8000 rwxp 00001000 08:03 5079098 /lib/libcom_err.so.2.1
00aea000-00af9000 r-xp 00000000 08:03 5079278 /lib/libresolv-2.4.so
00af9000-00afa000 r-xp 0000e000 08:03 5079278 /lib/libresolv-2.4.so
00afa000-00afb000 rwxp 0000f000 08:03 5079278 /lib/libresolv-2.4.so
00afb000-00afd000 rwxp 00afb000 00:00 0
00aff000-00b23000 r-xp 00000000 08:03 12624227 /usr/lib/libk5crypto.so.3.0
00b23000-00b24000 rwxp 00024000 08:03 12624227 /usr/lib/libk5crypto.so.3.0
00b26000-00b3e000 r-xp 00000000 08:03 12624812 /usr/lib/libgssapi_krb5.so.2.2
00b3e000-00b3f000 rwxp 00017000 08:03 12624812 /usr/lib/libgssapi_krb5.so.2.2
00b41000-00bb4000 r-xp 00000000 08:03 12624808 /usr/lib/libkrb5.so.3.2
00bb4000-00bb6000 rwxp 00073000 08:03 12624808 /usr/lib/libkrb5.so.3.2
00bb8000-00bbb000 r-xp 00000000 08:03 12619211 /usr/lib/libkrb5support.so.0.0
00bbb000-00bbc000 rwxp 00002000 08:03 12619211 /usr/lib/libkrb5support.so.0.0
00bc8000-00c09000 r-xp 00000000 08:03 5079057 /lib/libssl.so.0.9.8a
00c09000-00c0d000 rwxp 00040000 08:03 5079057 /lib/libssl.so.0.9.8a
00c0f000-00c7a000 r-xp 00000000 08:03 12623391 /usr/lib/libfreetype.so.6.3.8
00c7a000-00c7d000 rwxp 0006a000 08:03 12623391 /usr/lib/libfreetype.so.6.3.8
00c9f000-00d98000 r-xp 00000000 08:03 12619584 /usr/lib/libX11.so.6.2.0
00d98000-00d9c000 rwxp 000f9000 08:03 12619584 /usr/lib/libX11.so.6.2.0
00dab000-00dbb000 r-xp 00000000 08:03 12624226 /usr/lib/libXpm.so.4.11.0
00dbb000-00dbc000 rwxp 00010000 08:03 12624226 /usr/lib/libXpm.so.4.11.0
00e41000-00e4a000 r-xp 00000000 08:03 5079080 /lib/libnss_files-2.4.so
00e4a000-00e4b000 r-xp 00008000 08:03 5079080 /lib/libnss_files-2.4.so
00e4b000-00e4c000 rwxp 00009000 08:03 5079080 /lib/libnss_files-2.4.so
00e99000-00e9d000 r-xp 00000000 08:03 5079078 /lib/libnss_dns-2.4.so
00e9d000-00e9e000 r-xp 00003000 08:03 5079078 /lib/libnss_dns-2.4.so
00e9e000-00e9f000 rwxp 00004000 08:03 5079078 /lib/libnss_dns-2.4.so
08048000-081b9000 r-xp 00000000 08:03 12616067 /usr/bin/php
081b9000-081e3000 rw-p 00171000 08:03 12616067 /usr/bin/php
081e3000-081fd000 rw-p 081e3000 00:00 0
085cb000-08b01000 rw-p 085cb000 00:00 0
b7e6c000-b7e81000 rw-p b7e6c000 00:00 0
b7ea9000-b7ebe000 rw-p b7ea9000 00:00 0
b7ee5000-b7efb000 rw-p b7ee5000 00:00 0
b7f23000-b7f2a000 rw-p b7f23000 00:00 0
bfce4000-bfd0e000 rwxp bfce4000 00:00 0 [stack]
bfd0e000-bfd10000 rw-p bfd0e000 00:00 0
what can i do about it ?
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

You'd have to whitelist it by adding the following line to csf.pignore:

cwd:/usr/bin/php cron.php
Top
mickalo
Junior Member
Posts: 90
Joined: 12 Dec 2006, 13:53
Location: N.W Iowa
Contact:
Contact mickalo

Post by mickalo »

chirpy wrote:You'd have to whitelist it by adding the following line to csf.pignore:

cwd:/usr/bin/php cron.php
is that cwd or cmd ??

Mickalo
Top
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

You're right, it should be cmd:
Top
Post Reply

Return to “Report Bugs (csf)”