Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    420

    LFD warning of process as suspicious even though it's added to ignore

    I continue to get emails from LFD on my server with the subject "Suspicious process running under user dovenull" with this message:

    Code:
    Time:    Fri Jan 17 09:42:53 2014 -0500
    PID:     32196 (Parent PID:32193)
    Account: dovenull
    Uptime:  2540425 seconds
    
    
    Executable:
    
    /usr/libexec/dovecot/pop3-login\0052b27dbc\00ter.frm (deleted)
    
    The file system shows this process is running an executable file that has been
    deleted. This typically happens when the original file has been replaced by a new
    file when the application is updated. To prevent this being reported again, restart
    the process that runs this excecutable file. See csf.conf and the PT_DELETED text
    for more information about the security implications of processes running deleted
    executable files.
    
    
    Command Line (often faked in exploits):
    
    dovecot/pop3-login
    
    
    Network connections by the process (if any):
    
    tcp: 0.0.0.0:110 -> 0.0.0.0:0
    tcp: 0.0.0.0:995 -> 0.0.0.0:0
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /var/run/dovecot/login-master-notify09842f85788aed14 (deleted)
    /dev/urandom
    eventpoll:[1488605066]
    
    
    Memory maps by the process (if any):
    
    00400000-00405000 r-xp 00000000 08:05 40403147                          
    /usr/libexec/dovecot/pop3-login
    00604000-00605000 r--p 00004000 08:05 40403147                          
    /usr/libexec/dovecot/pop3-login
    00605000-00606000 rw-p 00005000 08:05 40403147                          
    /usr/libexec/dovecot/pop3-login
    15d8f000-15df4000 rw-p 15d8f000 00:00 0                                  [heap]
    3e24400000-3e2441c000 r-xp 00000000 08:05 48824467                      
    /lib64/ld-2.5.so
    3e2461c000-3e2461d000 r--p 0001c000 08:05 48824467                      
    /lib64/ld-2.5.so
    3e2461d000-3e2461e000 rw-p 0001d000 08:05 48824467                      
    /lib64/ld-2.5.so
    3e24800000-3e2494f000 r-xp 00000000 08:05 48824585                      
    /lib64/libc-2.5.so
    3e2494f000-3e24b4f000 ---p 0014f000 08:05 48824585                      
    /lib64/libc-2.5.so
    3e24b4f000-3e24b53000 r--p 0014f000 08:05 48824585                      
    /lib64/libc-2.5.so
    3e24b53000-3e24b54000 rw-p 00153000 08:05 48824585                      
    /lib64/libc-2.5.so
    3e24b54000-3e24b59000 rw-p 3e24b54000 00:00 0 
    3e24c00000-3e24c02000 r-xp 00000000 08:05 48824598                      
    /lib64/libdl-2.5.so
    3e24c02000-3e24e02000 ---p 00002000 08:05 48824598                      
    /lib64/libdl-2.5.so
    3e24e02000-3e24e03000 r--p 00002000 08:05 48824598                      
    /lib64/libdl-2.5.so
    3e24e03000-3e24e04000 rw-p 00003000 08:05 48824598                      
    /lib64/libdl-2.5.so
    3e25000000-3e25016000 r-xp 00000000 08:05 48824589                      
    /lib64/libpthread-2.5.so
    3e25016000-3e25216000 ---p 00016000 08:05 48824589                      
    /lib64/libpthread-2.5.so
    3e25216000-3e25217000 r--p 00016000 08:05 48824589                      
    /lib64/libpthread-2.5.so
    3e25217000-3e25218000 rw-p 00017000 08:05 48824589                      
    /lib64/libpthread-2.5.so
    3e25218000-3e2521c000 rw-p 3e25218000 00:00 0 
    3e25800000-3e25807000 r-xp 00000000 08:05 48824539                      
    /lib64/librt-2.5.so
    3e25807000-3e25a07000 ---p 00007000 08:05 48824539                      
    /lib64/librt-2.5.so
    3e25a07000-3e25a08000 r--p 00007000 08:05 48824539                      
    /lib64/librt-2.5.so
    3e25a08000-3e25a09000 rw-p 00008000 08:05 48824539                      
    /lib64/librt-2.5.so
    3e25c00000-3e25c14000 r-xp 00000000 08:05 48824707                      
    /lib64/libz.so.1.2.3
    3e25c14000-3e25e13000 ---p 00014000 08:05 48824707                      
    /lib64/libz.so.1.2.3
    3e25e13000-3e25e14000 rw-p 00013000 08:05 48824707                      
    /lib64/libz.so.1.2.3
    3e26000000-3e2603b000 r-xp 00000000 08:05 48824715                      
    /lib64/libsepol.so.1
    3e2603b000-3e2623b000 ---p 0003b000 08:05 48824715                      
    /lib64/libsepol.so.1
    3e2623b000-3e2623c000 rw-p 0003b000 08:05 48824715                      
    /lib64/libsepol.so.1
    3e2623c000-3e26246000 rw-p 3e2623c000 00:00 0 
    3e26400000-3e26415000 r-xp 00000000 08:05 48824725                      
    /lib64/libselinux.so.1
    3e26415000-3e26615000 ---p 00015000 08:05 48824725                      
    /lib64/libselinux.so.1
    3e26615000-3e26617000 rw-p 00015000 08:05 48824725                      
    /lib64/libselinux.so.1
    3e26617000-3e26618000 rw-p 3e26617000 00:00 0 
    3e28c00000-3e28d2d000 r-xp 00000000 08:05 48824727                      
    /lib64/libcrypto.so.0.9.8e
    3e28d2d000-3e28f2c000 ---p 0012d000 08:05 48824727                      
    /lib64/libcrypto.so.0.9.8e
    3e28f2c000-3e28f4d000 rw-p 0012c000 08:05 48824727                      
    /lib64/libcrypto.so.0.9.8e
    3e28f4d000-3e28f51000 rw-p 3e28f4d000 00:00 0 
    3e29400000-3e2942c000 r-xp 00000000 08:05 38944334                      
    /usr/lib64/libgssapi_krb5.so.2.2
    3e2942c000-3e2962c000 ---p 0002c000 08:05 38944334                      
    /usr/lib64/libgssapi_krb5.so.2.2
    3e2962c000-3e2962e000 rw-p 0002c000 08:05 38944334                      
    /usr/lib64/libgssapi_krb5.so.2.2
    3e29800000-3e29811000 r-xp 00000000 08:05 48824713                      
    /lib64/libresolv-2.5.so
    3e29811000-3e29a11000 ---p 00011000 08:05 48824713                      
    /lib64/libresolv-2.5.so
    3e29a11000-3e29a12000 r--p 00011000 08:05 48824713                      
    /lib64/libresolv-2.5.so
    3e29a12000-3e29a13000 rw-p 00012000 08:05 48824713                      
    /lib64/libresolv-2.5.so
    3e29a13000-3e29a15000 rw-p 3e29a13000 00:00 0 
    3e29c00000-3e29c48000 r-xp 00000000 08:05 48824728                      
    /lib64/libssl.so.0.9.8e
    3e29c48000-3e29e48000 ---p 00048000 08:05 48824728                      
    /lib64/libssl.so.0.9.8e
    3e29e48000-3e29e4e000 rw-p 00048000 08:05 48824728                      
    /lib64/libssl.so.0.9.8e
    3e2a800000-3e2a802000 r-xp 00000000 08:05 48824726                      
    /lib64/libcom_err.so.2.1
    3e2a802000-3e2aa01000 ---p 00002000 08:05 48824726                      
    /lib64/libcom_err.so.2.1
    3e2aa01000-3e2aa02000 rw-p 00001000 08:05 48824726                      
    /lib64/libcom_err.so.2.1
    3e2ac00000-3e2ac02000 r-xp 00000000 08:05 48824711                      
    /lib64/libkeyutils-1.2.so
    3e2ac02000-3e2ae01000 ---p 00002000 08:05 48824711                      
    /lib64/libkeyutils-1.2.so
    3e2ae01000-3e2ae02000 rw-p 00001000 08:05 48824711                      
    /lib64/libkeyutils-1.2.so
    3e2c400000-3e2c408000 r-xp 00000000 08:05 38932979                      
    /usr/lib64/libkrb5support.so.0.1
    3e2c408000-3e2c607000 ---p 00008000 08:05 38932979                      
    /usr/lib64/libkrb5support.so.0.1
    3e2c607000-3e2c608000 rw-p 00007000 08:05 38932979                      
    /usr/lib64/libkrb5support.so.0.1
    3e2c800000-3e2c891000 r-xp 00000000 08:05 38940739                      
    /usr/lib64/libkrb5.so.3.3
    3e2c891000-3e2ca91000 ---p 00091000 08:05 38940739                      
    /usr/lib64/libkrb5.so.3.3
    3e2ca91000-3e2ca95000 rw-p 00091000 08:05 38940739                      
    /usr/lib64/libkrb5.so.3.3
    3e2cc00000-3e2cc24000 r-xp 00000000 08:05 38939724                      
    /usr/lib64/libk5crypto.so.3.1
    3e2cc24000-3e2ce23000 ---p 00024000 08:05 38939724                      
    /usr/lib64/libk5crypto.so.3.1
    3e2ce23000-3e2ce25000 rw-p 00023000 08:05 38939724                      
    /usr/lib64/libk5crypto.so.3.1
    2b2775fe7000-2b2775fe9000 rw-p 2b2775fe7000 00:00 0 
    2b2775fe9000-2b2776001000 r-xp 00000000 08:05 40403472                  
    /usr/lib64/dovecot/libdovecot-login.so.0.0.0.#prelink#.AM8Scx (deleted)
    2b2776001000-2b2776200000 ---p 00018000 08:05 40403472                  
    /usr/lib64/dovecot/libdovecot-login.so.0.0.0.#prelink#.AM8Scx (deleted)
    2b2776200000-2b2776202000 r--p 00017000 08:05 40403472                  
    /usr/lib64/dovecot/libdovecot-login.so.0.0.0.#prelink#.AM8Scx (deleted)
    2b2776202000-2b2776203000 rw-p 00019000 08:05 40403472                  
    /usr/lib64/dovecot/libdovecot-login.so.0.0.0.#prelink#.AM8Scx (deleted)
    2b2776203000-2b27762c5000 r-xp 00000000 08:05 40403530                  
    /usr/lib64/dovecot/libdovecot.so.0.0.0.#prelink#.0P8kRG (deleted)
    2b27762c5000-2b27764c5000 ---p 000c2000 08:05 40403530                  
    /usr/lib64/dovecot/libdovecot.so.0.0.0.#prelink#.0P8kRG (deleted)
    2b27764c5000-2b27764c9000 r--p 000c2000 08:05 40403530                  
    /usr/lib64/dovecot/libdovecot.so.0.0.0.#prelink#.0P8kRG (deleted)
    2b27764c9000-2b27764ca000 rw-p 000c6000 08:05 40403530                  
    /usr/lib64/dovecot/libdovecot.so.0.0.0.#prelink#.0P8kRG (deleted)
    2b27764ca000-2b27764cd000 rw-p 2b27764ca000 00:00 0 
    2b27764e1000-2b27764e9000 rw-p 2b27764e1000 00:00 0 
    7fff23c16000-7fff23c2b000 rw-p 7ffffffe9000 00:00 0                      [stack]
    7fff23dcb000-7fff23dcf000 r-xp 7fff23dcb000 00:00 0                      [vdso]
    ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vsyscall]
    I have checked the csf.pignore file in WHM and have confirmed this to be added to the file:

    Code:
    exe:/usr/libexec/dovecot/imap
    exe:/usr/libexec/dovecot/pop3
    exe:/usr/libexec/dovecot/pop3-login
    exe:/usr/libexec/dovecot/imap-login
    I've restarted LFD several times though this seems to make no difference. What am I missing?

  2. #2
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,948
    "Command Line (often faked in exploits):
    dovecot/pop3-login"

    Have you tried with that in the file as:
    cmd:dovecot/pop3-login
    Having problems, or maybe questions about WHT? Head over to the help desk!

  3. #3
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    420
    I have not but will give that a try. Thanks for the reply.

  4. #4
    Join Date
    Mar 2010
    Location
    Dallas
    Posts
    305
    The error is listed in the email. You just need to restart dovecot. There was an update to it. If you didn't do the update, that is another issue.

  5. #5
    Join Date
    Feb 2002
    Location
    Indiana
    Posts
    420
    Quote Originally Posted by bear View Post
    "Command Line (often faked in exploits):
    dovecot/pop3-login"

    Have you tried with that in the file as:
    cmd:dovecot/pop3-login
    This worked in resolving all the emails. I've now also restarted dovecot as suggested. Should be covering all bases now.

Similar Threads

  1. lfd Suspicious process running under user rpc? LFD how to get rid of this
    By psalm91 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 05-16-2013, 04:50 PM
  2. cPanel / LFD Suspicious ProFTPD Process
    By BMurtagh in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-08-2013, 07:21 PM
  3. LFD ignore process dosn't work
    By kootta in forum Hosting Security and Technology
    Replies: 6
    Last Post: 07-26-2012, 11:46 AM
  4. lfd suspicious process running under user ntp
    By peterbra in forum Hosting Security and Technology
    Replies: 2
    Last Post: 03-25-2011, 06:44 PM
  5. How to stop lfd: Suspicious process running
    By ALEXEI_M in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-06-2010, 03:45 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •