ConfigServer Community Forum

Hello,
Since some time we are getting "Suspicious process running under user mailnull" notifications. I include the notification below. We restarted Exim, but without any luck.
The process itself is:
PID: 7992 (Parent PID:7922)
Account: mailnull

Should we kill this process or are there any other things we could do?

Thank you

Gabrielle
==============================================================
The notification is:

Executable:

/usr/sbin/exim\005344cfd3 (deleted)

Command Line (often faked in exploits):

/usr/sbin/sendmail -FCronDaemon -i -odi -oem -oi -t


Network connections by the process (if any):



Files open by the process (if any):

/dev/null
/dev/null
/proc/7922/cmdline
/var/log/exim_mainlog.1 (deleted)


Memory maps by the process (if any):

00400000-004e9000 r-xp 00000000 09:02 239456168 /usr/sbin/exim
006e8000-006f2000 rw-p 000e8000 09:02 239456168 /usr/sbin/exim
006f2000-00701000 rw-p 006f2000 00:00 0
1e6aa000-1e836000 rw-p 1e6aa000 00:00 0
34d2400000-34d252d000 r-xp 00000000 09:02 131465246 /lib64/libcrypto.so.0.9.8e
34d252d000-34d272c000 ---p 0012d000 09:02 131465246 /lib64/libcrypto.so.0.9.8e
34d272c000-34d274d000 rw-p 0012c000 09:02 131465246 /lib64/libcrypto.so.0.9.8e
34d274d000-34d2751000 rw-p 34d274d000 00:00 0
360c800000-360c808000 r-xp 00000000 09:02 239437154 /usr/lib64/libkrb5support.so.0.1
360c808000-360ca07000 ---p 00008000 09:02 239437154 /usr/lib64/libkrb5support.so.0.1
360ca07000-360ca08000 rw-p 00007000 09:02 239437154 /usr/lib64/libkrb5support.so.0.1
360cc00000-360cc91000 r-xp 00000000 09:02 239458538 /usr/lib64/libkrb5.so.3.3
360cc91000-360ce91000 ---p 00091000 09:02 239458538 /usr/lib64/libkrb5.so.3.3
360ce91000-360ce95000 rw-p 00091000 09:02 239458538 /usr/lib64/libkrb5.so.3.3
360d000000-360d024000 r-xp 00000000 09:02 239458537 /usr/lib64/libk5crypto.so.3.1
360d024000-360d223000 ---p 00024000 09:02 239458537 /usr/lib64/libk5crypto.so.3.1
360d223000-360d225000 rw-p 00023000 09:02 239458537 /usr/lib64/libk5crypto.so.3.1
360d400000-360d42c000 r-xp 00000000 09:02 239458539 /usr/lib64/libgssapi_krb5.so.2.2
360d42c000-360d62c000 ---p 0002c000 09:02 239458539 /usr/lib64/libgssapi_krb5.so.2.2
360d62c000-360d62e000 rw-p 0002c000 09:02 239458539 /usr/lib64/libgssapi_krb5.so.2.2
360d800000-360d848000 r-xp 00000000 09:02 131465222 /lib64/libssl.so.0.9.8e
360d848000-360da48000 ---p 00048000 09:02 131465222 /lib64/libssl.so.0.9.8e
360da48000-360da4e000 rw-p 00048000 09:02 131465222 /lib64/libssl.so.0.9.8e
3a6ba00000-3a6ba1c000 r-xp 00000000 09:02 131465232 /lib64/ld-2.5.so
3a6bc1c000-3a6bc1d000 r--p 0001c000 09:02 131465232 /lib64/ld-2.5.so
3a6bc1d000-3a6bc1e000 rw-p 0001d000 09:02 131465232 /lib64/ld-2.5.so
3a6be00000-3a6bf4f000 r-xp 00000000 09:02 131465503 /lib64/libc-2.5.so
3a6bf4f000-3a6c14f000 ---p 0014f000 09:02 131465503 /lib64/libc-2.5.so
3a6c14f000-3a6c153000 r--p 0014f000 09:02 131465503 /lib64/libc-2.5.so
3a6c153000-3a6c154000 rw-p 00153000 09:02 131465503 /lib64/libc-2.5.so
3a6c154000-3a6c159000 rw-p 3a6c154000 00:00 0
3a6c200000-3a6c202000 r-xp 00000000 09:02 131465504 /lib64/libdl-2.5.so
3a6c202000-3a6c402000 ---p 00002000 09:02 131465504 /lib64/libdl-2.5.so
3a6c402000-3a6c403000 r--p 00002000 09:02 131465504 /lib64/libdl-2.5.so
3a6c403000-3a6c404000 rw-p 00003000 09:02 131465504 /lib64/libdl-2.5.so
3a6c600000-3a6c616000 r-xp 00000000 09:02 131465517 /lib64/libpthread-2.5.so
3a6c616000-3a6c816000 ---p 00016000 09:02 131465517 /lib64/libpthread-2.5.so
3a6c816000-3a6c817000 r--p 00016000 09:02 131465517 /lib64/libpthread-2.5.so
3a6c817000-3a6c818000 rw-p 00017000 09:02 131465517 /lib64/libpthread-2.5.so
3a6c818000-3a6c81c000 rw-p 3a6c818000 00:00 0
3a6ca00000-3a6ca82000 r-xp 00000000 09:02 131465542 /lib64/libm-2.5.so
3a6ca82000-3a6cc81000 ---p 00082000 09:02 131465542 /lib64/libm-2.5.so
3a6cc81000-3a6cc82000 r--p 00081000 09:02 131465542 /lib64/libm-2.5.so
3a6cc82000-3a6cc83000 rw-p 00082000 09:02 131465542 /lib64/libm-2.5.so
3a6ce00000-3a6cef1000 r-xp 00000000 09:02 131465549 /lib64/libdb-4.3.so
3a6cef1000-3a6d0f1000 ---p 000f1000 09:02 131465549 /lib64/libdb-4.3.so
3a6d0f1000-3a6d0f6000 rw-p 000f1000 09:02 131465549 /lib64/libdb-4.3.so
3a6d200000-3a6d214000 r-xp 00000000 09:02 131465527 /lib64/libz.so.1.2.3
3a6d214000-3a6d413000 ---p 00014000 09:02 131465527 /lib64/libz.so.1.2.3
3a6d413000-3a6d414000 rw-p 00013000 09:02 131465527 /lib64/libz.so.1.2.3
3a6d600000-3a6d615000 r-xp 00000000 09:02 131465536 /lib64/libselinux.so.1
3a6d615000-3a6d815000 ---p 00015000 09:02 131465536 /lib64/libselinux.so.1
3a6d815000-3a6d817000 rw-p 00015000 09:02 131465536 /lib64/libselinux.so.1
3a6d817000-3a6d818000 rw-p 3a6d817000 00:00 0
3a6da00000-3a6da3b000 r-xp 00000000 09:02 131465533 /lib64/libsepol.so.1
3a6da3b000-3a6dc3b000 ---p 0003b000 09:02 131465533 /lib64/libsepol.so.1
3a6dc3b000-3a6dc3c000 rw-p 0003b000 09:02 131465533 /lib64/libsepol.so.1
3a6dc3c000-3a6dc46000 rw-p 3a6dc3c000 00:00 0
3a6de00000-3a6de15000 r-xp 00000000 09:02 131465530 /lib64/libnsl-2.5.so
3a6de15000-3a6e014000 ---p 00015000 09:02 131465530 /lib64/libnsl-2.5.so
3a6e014000-3a6e015000 r--p 00014000 09:02 131465530 /lib64/libnsl-2.5.so
3a6e015000-3a6e016000 rw-p 00015000 09:02 131465530 /lib64/libnsl-2.5.so
3a6e016000-3a6e018000 rw-p 3a6e016000 00:00 0
3a6e200000-3a6e209000 r-xp 00000000 09:02 131465481 /lib64/libcrypt-2.5.so
3a6e209000-3a6e408000 ---p 00009000 09:02 131465481 /lib64/libcrypt-2.5.so
3a6e408000-3a6e409000 r--p 00008000 09:02 131465481 /lib64/libcrypt-2.5.so
3a6e409000-3a6e40a000 rw-p 00009000 09:02 131465481 /lib64/libcrypt-2.5.so
3a6e40a000-3a6e438000 rw-p 3a6e40a000 00:00 0
3a6e600000-3a6e606000 r-xp 00000000 09:02 239455323 /usr/lib64/libgdbm.so.2.0.0
3a6e606000-3a6e805000 ---p 00006000 09:02 239455323 /usr/lib64/libgdbm.so.2.0.0
3a6e805000-3a6e806000 rw-p 00005000 09:02 239455323 /usr/lib64/libgdbm.so.2.0.0
3a70200000-3a70217000 r-xp 00000000 09:02 131465508 /lib64/libaudit.so.0.0.0
3a70217000-3a70416000 ---p 00017000 09:02 131465508 /lib64/libaudit.so.0.0.0
3a70416000-3a70418000 rw-p 00016000 09:02 131465508 /lib64/libaudit.so.0.0.0
3a70e00000-3a70e02000 r-xp 00000000 09:02 131465531 /lib64/libkeyutils-1.2.so
3a70e02000-3a71001000 ---p 00002000 09:02 131465531 /lib64/libkeyutils-1.2.so
3a71001000-3a71002000 rw-p 00001000 09:02 131465531 /lib64/libkeyutils-1.2.so
3a71200000-3a71211000 r-xp 00000000 09:02 131465532 /lib64/libresolv-2.5.so
3a71211000-3a71411000 ---p 00011000 09:02 131465532 /lib64/libresolv-2.5.so
3a71411000-3a71412000 r--p 00011000 09:02 131465532 /lib64/libresolv-2.5.so
3a71412000-3a71413000 rw-p 00012000 09:02 131465532 /lib64/libresolv-2.5.so
3a71413000-3a71415000 rw-p 3a71413000 00:00 0
3a71600000-3a7160b000 r-xp 00000000 09:02 131465512 /lib64/libpam.so.0.81.5
3a7160b000-3a7180a000 ---p 0000b000 09:02 131465512 /lib64/libpam.so.0.81.5
3a7180a000-3a7180b000 rw-p 0000a000 09:02 131465512 /lib64/libpam.so.0.81.5
3a71a00000-3a71a02000 r-xp 00000000 09:02 131465537 /lib64/libcom_err.so.2.1
3a71a02000-3a71c01000 ---p 00002000 09:02 131465537 /lib64/libcom_err.so.2.1
3a71c01000-3a71c02000 rw-p 00001000 09:02 131465537 /lib64/libcom_err.so.2.1
3a75200000-3a75202000 r-xp 00000000 09:02 131465528 /lib64/libutil-2.5.so
3a75202000-3a75401000 ---p 00002000 09:02 131465528 /lib64/libutil-2.5.so
3a75401000-3a75402000 r--p 00001000 09:02 131465528 /lib64/libutil-2.5.so
3a75402000-3a75403000 rw-p 00002000 09:02 131465528 /lib64/libutil-2.5.so
2b833633e000-2b8336341000 rw-p 2b833633e000 00:00 0
2b833634d000-2b833634f000 rw-p 2b833634d000 00:00 0
2b833634f000-2b833636a000 r-xp 00000000 09:02 393830 /usr/local/cpanel/3rdparty/lib64/libspf2.so.2.1.0
2b833636a000-2b8336569000 ---p 0001b000 09:02 393830 /usr/local/cpanel/3rdparty/lib64/libspf2.so.2.1.0
2b8336569000-2b833656b000 rw-p 0001a000 09:02 393830 /usr/local/cpanel/3rdparty/lib64/libspf2.so.2.1.0
2b833656b000-2b833656c000 rw-p 2b833656b000 00:00 0
2b833656c000-2b8336693000 r-xp 00000000 09:02 362557 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.3/x86_64-linux-64int/CORE/libperl.so
2b8336693000-2b8336893000 ---p 00127000 09:02 362557 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.3/x86_64-linux-64int/CORE/libperl.so
2b8336893000-2b833689d000 rw-p 00127000 09:02 362557 /usr/local/cpanel/3rdparty/perl/514/lib64/perl5/5.14.3/x86_64-linux-64int/CORE/libperl.so
2b833689d000-2b833689f000 rw-p 2b833689d000 00:00 0
2b833689f000-2b83368dc000 r-xp 00000000 09:02 393640 /usr/local/cpanel/3rdparty/lib64/libpcre.so.1.0.1 (deleted)
2b83368dc000-2b8336adc000 ---p 0003d000 09:02 393640 /usr/local/cpanel/3rdparty/lib64/libpcre.so.1.0.1 (deleted)
2b8336adc000-2b8336add000 rw-p 0003d000 09:02 393640 /usr/local/cpanel/3rdparty/lib64/libpcre.so.1.0.1 (deleted)
2b8336add000-2b8336ae1000 r-xp 00000000 09:02 393832 /usr/local/cpanel/3rdparty/lib64/libsrs_alt.so.1.0.0
2b8336ae1000-2b8336ce1000 ---p 00004000 09:02 393832 /usr/local/cpanel/3rdparty/lib64/libsrs_alt.so.1.0.0
2b8336ce1000-2b8336ce2000 rw-p 00004000 09:02 393832 /usr/local/cpanel/3rdparty/lib64/libsrs_alt.so.1.0.0
2b8336ce2000-2b8336ce9000 rw-p 2b8336ce2000 00:00 0
2b8336cf6000-2b8336d00000 r-xp 00000000 09:02 131465392 /lib64/libnss_files-2.5.so
2b8336d00000-2b8336eff000 ---p 0000a000 09:02 131465392 /lib64/libnss_files-2.5.so
2b8336eff000-2b8336f00000 r--p 00009000 09:02 131465392 /lib64/libnss_files-2.5.so
2b8336f00000-2b8336f01000 rw-p 0000a000 09:02 131465392 /lib64/libnss_files-2.5.so
2b8336f01000-2b833a4cc000 r--p 00000000 09:02 239441955 /usr/lib/locale/locale-archive
7fff7fc72000-7fff7fcf6000 rw-p 7ffffff7a000 00:00 0 [stack]
7fff7fdfd000-7fff7fe00000 r-xp 7fff7fdfd000 00:00 0 [vdso]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall]

Add to CSF.PIGNORE the following line:
user:mailnull

Hi Sergio,
Thank you very much for your help: your advice removed the notifications!
Would you advice anything else to really "kill" the process?
Thank you
Gabrielle

Gabrielle,
you don't want to kill mailnull as it is needed on your email environment.

The command that you wrote on csf.pignore is to let mailnull to do his chore.

Sergio, thank you for you explanation.
Have a great weekend
Gabrielle

Hi dear,
i add cod:
user:mailnull

to this file: "/etc/csf/csf.pignore"
but recive email ...