Page 1 of 1

LFD suspicious processes email

Posted: 11 Jan 2007, 18:33
by Erik
hi configserver,

My mailbox is getting flooded with warnings about suspicious proccesses running on my server.However this is false that process is not malicious and normal ......
Time: Thu Jan 11 12:14:43 2007
PID: 27948
Account: ************
Uptime: 67 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php cron.php


Network connections by the process (if any):

udp: 72.36.251.250:33750 -> 72.36.190.2:53 <<-- this my host nameserver


Files open by the process (if any):

/usr/local/apache/logs/error_log


Memory maps by the process (if any):

00101000-00215000 r-xp 00000000 08:03 12619204 /usr/lib/libmysqlclient.so.15.0.0
00215000-00257000 rwxp 00113000 08:03 12619204 /usr/lib/libmysqlclient.so.15.0.0
00257000-00258000 rwxp 00257000 00:00 0
00258000-00377000 r-xp 00000000 08:03 5079071 /lib/libcrypto.so.0.9.8a
00377000-0038a000 rwxp 0011e000 08:03 5079071 /lib/libcrypto.so.0.9.8a
0038a000-0038d000 rwxp 0038a000 00:00 0
0038d000-0038f000 r-xp 00000000 08:03 13074526 /usr/local/Zend/lib/ZendExtensionManager.so
0038f000-00390000 rwxp 00002000 08:03 13074526 /usr/local/Zend/lib/ZendExtensionManager.so
003d9000-0041d000 r-xp 00000000 08:03 13240765 /usr/local/ioncube/ioncube_loader_lin_4.4.so
0041d000-00422000 rwxp 00043000 08:03 13240765 /usr/local/ioncube/ioncube_loader_lin_4.4.so
00422000-00503000 r-xp 00000000 08:03 13240748 /usr/local/Zend/lib/Optimizer-3.0.1/php-4.4.x/ZendOptimizer.so
00503000-00510000 rwxp 000e1000 08:03 13240748 /usr/local/Zend/lib/Optimizer-3.0.1/php-4.4.x/ZendOptimizer.so
00510000-00514000 rwxp 00510000 00:00 0
0065e000-00677000 r-xp 00000000 08:03 5079102 /lib/ld-2.4.so
00677000-00678000 r-xp 00018000 08:03 5079102 /lib/ld-2.4.so
00678000-00679000 rwxp 00019000 08:03 5079102 /lib/ld-2.4.so
0067b000-007a8000 r-xp 00000000 08:03 5080529 /lib/libc-2.4.so
007a8000-007aa000 r-xp 0012d000 08:03 5080529 /lib/libc-2.4.so
007aa000-007ab000 rwxp 0012f000 08:03 5080529 /lib/libc-2.4.so
007ab000-007ae000 rwxp 007ab000 00:00 0
007b0000-007b2000 r-xp 00000000 08:03 5079261 /lib/libdl-2.4.so
007b2000-007b3000 r-xp 00001000 08:03 5079261 /lib/libdl-2.4.so
007b3000-007b4000 rwxp 00002000 08:03 5079261 /lib/libdl-2.4.so
007b6000-007d9000 r-xp 00000000 08:03 5080533 /lib/libm-2.4.so
007d9000-007da000 r-xp 00022000 08:03 5080533 /lib/libm-2.4.so
007da000-007db000 rwxp 00023000 08:03 5080533 /lib/libm-2.4.so
007dd000-007ef000 r-xp 00000000 08:03 12624814 /usr/lib/libz.so.1.2.3
007ef000-007f0000 rwxp 00011000 08:03 12624814 /usr/lib/libz.so.1.2.3
00808000-00829000 r-xp 00000000 08:03 12619304 /usr/lib/libjpeg.so.62.0.0
00829000-0082a000 rwxp 00020000 08:03 12619304 /usr/lib/libjpeg.so.62.0.0
0082c000-00831000 r-xp 00000000 08:03 12619510 /usr/lib/libXdmcp.so.6.0.0
00831000-00832000 rwxp 00004000 08:03 12619510 /usr/lib/libXdmcp.so.6.0.0
00834000-00836000 r-xp 00000000 08:03 12619516 /usr/lib/libXau.so.6.0.0
00836000-00837000 rwxp 00001000 08:03 12619516 /usr/lib/libXau.so.6.0.0
00839000-00860000 r-xp 00000000 08:03 12622118 /usr/lib/libpng12.so.0.1.2.8
00860000-00861000 rwxp 00026000 08:03 12622118 /usr/lib/libpng12.so.0.1.2.8
00869000-0087b000 r-xp 00000000 08:03 5080526 /lib/libnsl-2.4.so
0087b000-0087c000 r-xp 00011000 08:03 5080526 /lib/libnsl-2.4.so
0087c000-0087d000 rwxp 00012000 08:03 5080526 /lib/libnsl-2.4.so
0087d000-0087f000 rwxp 0087d000 00:00 0
00881000-00886000 r-xp 00000000 08:03 5079272 /lib/libcrypt-2.4.so
00886000-00887000 r-xp 00004000 08:03 5079272 /lib/libcrypt-2.4.so
00887000-00888000 rwxp 00005000 08:03 5079272 /lib/libcrypt-2.4.so
00888000-008af000 rwxp 00888000 00:00 0
008b1000-008e4000 r-xp 00000000 08:03 12621919 /usr/lib/libcurl.so.3.0.0
008e4000-008e5000 rwxp 00032000 08:03 12621919 /usr/lib/libcurl.so.3.0.0
00917000-00918000 r-xp 00917000 00:00 0 [vdso]
009e8000-009f3000 r-xp 00000000 08:03 5079073 /lib/libgcc_s-4.1.1-20060525.so.1
009f3000-009f4000 rwxp 0000a000 08:03 5079073 /lib/libgcc_s-4.1.1-20060525.so.1
009f6000-00ad8000 r-xp 00000000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00ad8000-00adc000 r-xp 000e1000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00adc000-00add000 rwxp 000e5000 08:03 12622884 /usr/lib/libstdc++.so.6.0.8
00add000-00ae3000 rwxp 00add000 00:00 0
00ae5000-00ae7000 r-xp 00000000 08:03 5079098 /lib/libcom_err.so.2.1
00ae7000-00ae8000 rwxp 00001000 08:03 5079098 /lib/libcom_err.so.2.1
00aea000-00af9000 r-xp 00000000 08:03 5079278 /lib/libresolv-2.4.so
00af9000-00afa000 r-xp 0000e000 08:03 5079278 /lib/libresolv-2.4.so
00afa000-00afb000 rwxp 0000f000 08:03 5079278 /lib/libresolv-2.4.so
00afb000-00afd000 rwxp 00afb000 00:00 0
00aff000-00b23000 r-xp 00000000 08:03 12624227 /usr/lib/libk5crypto.so.3.0
00b23000-00b24000 rwxp 00024000 08:03 12624227 /usr/lib/libk5crypto.so.3.0
00b26000-00b3e000 r-xp 00000000 08:03 12624812 /usr/lib/libgssapi_krb5.so.2.2
00b3e000-00b3f000 rwxp 00017000 08:03 12624812 /usr/lib/libgssapi_krb5.so.2.2
00b41000-00bb4000 r-xp 00000000 08:03 12624808 /usr/lib/libkrb5.so.3.2
00bb4000-00bb6000 rwxp 00073000 08:03 12624808 /usr/lib/libkrb5.so.3.2
00bb8000-00bbb000 r-xp 00000000 08:03 12619211 /usr/lib/libkrb5support.so.0.0
00bbb000-00bbc000 rwxp 00002000 08:03 12619211 /usr/lib/libkrb5support.so.0.0
00bc8000-00c09000 r-xp 00000000 08:03 5079057 /lib/libssl.so.0.9.8a
00c09000-00c0d000 rwxp 00040000 08:03 5079057 /lib/libssl.so.0.9.8a
00c0f000-00c7a000 r-xp 00000000 08:03 12623391 /usr/lib/libfreetype.so.6.3.8
00c7a000-00c7d000 rwxp 0006a000 08:03 12623391 /usr/lib/libfreetype.so.6.3.8
00c9f000-00d98000 r-xp 00000000 08:03 12619584 /usr/lib/libX11.so.6.2.0
00d98000-00d9c000 rwxp 000f9000 08:03 12619584 /usr/lib/libX11.so.6.2.0
00dab000-00dbb000 r-xp 00000000 08:03 12624226 /usr/lib/libXpm.so.4.11.0
00dbb000-00dbc000 rwxp 00010000 08:03 12624226 /usr/lib/libXpm.so.4.11.0
00e41000-00e4a000 r-xp 00000000 08:03 5079080 /lib/libnss_files-2.4.so
00e4a000-00e4b000 r-xp 00008000 08:03 5079080 /lib/libnss_files-2.4.so
00e4b000-00e4c000 rwxp 00009000 08:03 5079080 /lib/libnss_files-2.4.so
00e99000-00e9d000 r-xp 00000000 08:03 5079078 /lib/libnss_dns-2.4.so
00e9d000-00e9e000 r-xp 00003000 08:03 5079078 /lib/libnss_dns-2.4.so
00e9e000-00e9f000 rwxp 00004000 08:03 5079078 /lib/libnss_dns-2.4.so
08048000-081b9000 r-xp 00000000 08:03 12616067 /usr/bin/php
081b9000-081e3000 rw-p 00171000 08:03 12616067 /usr/bin/php
081e3000-081fd000 rw-p 081e3000 00:00 0
085cb000-08b01000 rw-p 085cb000 00:00 0
b7e6c000-b7e81000 rw-p b7e6c000 00:00 0
b7ea9000-b7ebe000 rw-p b7ea9000 00:00 0
b7ee5000-b7efb000 rw-p b7ee5000 00:00 0
b7f23000-b7f2a000 rw-p b7f23000 00:00 0
bfce4000-bfd0e000 rwxp bfce4000 00:00 0 [stack]
bfd0e000-bfd10000 rw-p bfd0e000 00:00 0
what can i do about it ?

Posted: 11 Jan 2007, 22:00
by chirpy
You'd have to whitelist it by adding the following line to csf.pignore:

cwd:/usr/bin/php cron.php

Posted: 11 Jan 2007, 22:21
by mickalo
chirpy wrote:You'd have to whitelist it by adding the following line to csf.pignore:

cwd:/usr/bin/php cron.php
is that cwd or cmd ??

Mickalo

Posted: 11 Jan 2007, 23:04
by chirpy
You're right, it should be cmd: