LFD Suspicious process messages - (deleted) /usr/bin/php
Posted: 20 Aug 2013, 18:13
Yesterday I re-ran EasyApache (version 3.22.5) on my Cpanel / WHM server and since that time I have been getting 10-15 of these messages every hour or so:
Email subject line is:
lfd on <myserver>: Suspicious process running under user <me>
Me being my username, it's not "nobody"
(Can't post the full memory map because I am not authorized to post links yet)
Is there something I can check on my server to stop these messages?
I have already restarted both Apache and LFD just in case, the messages continued.
Coincidentally I had just run Easy Apache (3.22.4) the day before and these messages did not occur afterward.
So if this is an issue for CPanel, let me know and I can post on their Forum.
They typically point all LFD questions here.
Side note: You also spelled executable wrong in:
"...restart the process that runs this excecutable file..."
Email subject line is:
lfd on <myserver>: Suspicious process running under user <me>
Me being my username, it's not "nobody"
Code: Select all
Executable:
(deleted)/usr/bin/php
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
/usr/bin/php
Network connections by the process (if any):
Files open by the process (if any):
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
Memory maps by the process (if any):
00400000-00c4b000 r-xp 00000000 00:1a 26556476 (deleted)/usr/bin/php
00e4a000-00ed3000 rw-p 0084a000 00:1a 26556476 (deleted)/usr/bin/php
00ed3000-00ef4000 rw-p 00000000 00:00 0
029fe000-03114000 rw-p 00000000 00:00 0 [heap]
7f7fbb219000-7f7fbd219000 rw-s 00000000 00:20 895385616 (deleted)/VE13854-SYSV00000000
...
Is there something I can check on my server to stop these messages?
I have already restarted both Apache and LFD just in case, the messages continued.
Coincidentally I had just run Easy Apache (3.22.4) the day before and these messages did not occur afterward.
So if this is an issue for CPanel, let me know and I can post on their Forum.
They typically point all LFD questions here.
Side note: You also spelled executable wrong in:
"...restart the process that runs this excecutable file..."