Page 1 of 1

LFD Suspicious process messages - (deleted) /usr/bin/php

Posted: 20 Aug 2013, 18:13
by 63bus
Yesterday I re-ran EasyApache (version 3.22.5) on my Cpanel / WHM server and since that time I have been getting 10-15 of these messages every hour or so:

Email subject line is:
lfd on <myserver>: Suspicious process running under user <me>
Me being my username, it's not "nobody"

Code: Select all

Executable:

 (deleted)/usr/bin/php

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):



Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log


Memory maps by the process (if any):

00400000-00c4b000 r-xp 00000000 00:1a 26556476                            (deleted)/usr/bin/php
00e4a000-00ed3000 rw-p 0084a000 00:1a 26556476                            (deleted)/usr/bin/php
00ed3000-00ef4000 rw-p 00000000 00:00 0 
029fe000-03114000 rw-p 00000000 00:00 0                                  [heap]
7f7fbb219000-7f7fbd219000 rw-s 00000000 00:20 895385616                   (deleted)/VE13854-SYSV00000000

...
(Can't post the full memory map because I am not authorized to post links yet)

Is there something I can check on my server to stop these messages?
I have already restarted both Apache and LFD just in case, the messages continued.

Coincidentally I had just run Easy Apache (3.22.4) the day before and these messages did not occur afterward.
So if this is an issue for CPanel, let me know and I can post on their Forum.
They typically point all LFD questions here.


Side note: You also spelled executable wrong in:
"...restart the process that runs this excecutable file..."

Re: LFD Suspicious process messages - (deleted) /usr/bin/php

Posted: 22 Aug 2013, 16:30
by 63bus
CPanel released EasyApache 3.22.6 so I did a recompile just in case it would help, still getting tons of these emails.

Re: LFD Suspicious process messages - (deleted) /usr/bin/php

Posted: 27 Aug 2013, 19:27
by 63bus
Anyone have any advice?

After the above, I also recently upgraded, using EasyApache, to PHP 5.4.

No change - The messages are still being sent to me, hundreds per day.

Re: LFD Suspicious process messages - (deleted) /usr/bin/php

Posted: 28 Aug 2013, 07:48
by 63bus
I solved this issue by discovering there were several PHP processes that were left running after the upgrade above.

I used kill to kill them by the PID # reported in the emails and the messages have stopped.