Setiap Jam Menerima Pesan dari CSF

Discussion in 'Masalah Teknik dan Keamanan' started by cloud3peace, 4 May 2013.

Thread Status:
Not open for further replies.
  1. cloud3peace

    cloud3peace Poster 2.0

    Messages:
    161
    Likes Received:
    7
    Trophy Points:
    18
    Dear all,

    Saya memiliki sebuah Web Joomla di VPS saya
    Dimana saya telah menginstall CSF.
    Setiap jam CSF akan mengirimkan 3 kali email seperti ini:

    Subject: lfd on <hostname>: Excessive resource usage: <nama akun> (26324 (Parent PID:23332))

    Time: Sat May 4 11:02:09 2013 +0700
    Account: <name akun>
    Resource: Process Time
    Exceeded: 85540 > 1800 (seconds)
    Executable: /usr/bin/php
    Command Line: /usr/bin/php /home/<nama akun>/public_html/index.php
    PID: 26324 (Parent PID:23332)
    Killed: No

    Subject: lfd on <hostname>: Suspicious process running under user <nama akun>

    Time: Sat May 4 11:02:09 2013 +0700
    PID: 26849 (Parent PID:23011)
    Account: <nama akun>
    Uptime: 85401 seconds


    Executable:

    /usr/bin/php


    Command Line (often faked in exploits):

    /usr/bin/php /home/<nama akun>/public_html/index.php


    Network connections by the process (if any):

    tcp: <ip server>:52063 -> 98.138.26.40:80


    Files open by the process (if any):



    Memory maps by the process (if any):

    08048000-08791000 r-xp 00000000 ca:02 269599 /usr/bin/php
    08791000-0879f000 rw-p 00749000 ca:02 269599 /usr/bin/php
    0879f000-087bd000 rw-p 0879f000 00:00 0
    08e0f000-09933000 rw-p 08e0f000 00:00 0 [heap]
    b6445000-b64c6000 rw-p b6445000 00:00 0
    b64cf000-b64d3000 r-xp 00000000 ca:02 1098740 /lib/libnss_dns-2.5.so
    b64d3000-b64d4000 r--p 00003000 ca:02 1098740 /lib/libnss_dns-2.5.so
    b64d4000-b64d5000 rw-p 00004000 ca:02 1098740 /lib/libnss_dns-2.5.so
    b64dc000-b655d000 rw-p b64dc000 00:00 0
    b655d000-b6635000 r--p 00159000 ca:02 296486 /usr/lib/locale/locale-archive
    b6635000-b6835000 r--p 00000000 ca:02 296486 /usr/lib/locale/locale-archive
    b6835000-b683f000 r-xp 00000000 ca:02 1099592 /lib/libnss_files-2.5.so
    b683f000-b6840000 r--p 00009000 ca:02 1099592 /lib/libnss_files-2.5.so
    b6840000-b6841000 rw-p 0000a000 ca:02 1099592 /lib/libnss_files-2.5.so
    b6848000-b6895000 r-xp 00000000 ca:02 501998 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
    b6895000-b6897000 rw-p 0004c000 ca:02 501998 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/sqlite.so
    b6897000-b6917000 r-xp 00000000 ca:02 501997 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
    b6917000-b6918000 rw-p 00080000 ca:02 501997 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_sqlite.so
    b6918000-b6919000 rw-p b6918000 00:00 0
    b6919000-b692f000 r-xp 00000000 ca:02 503092 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
    b692f000-b6930000 rw-p 00015000 ca:02 503092 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo.so
    b6930000-b694b000 r-xp 00000000 ca:02 502002 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
    b694b000-b694e000 rw-p 0001b000 ca:02 502002 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
    b694e000-b6979000 rw-p b694e000 00:00 0
    b697f000-b6980000 r--p 01aee000 ca:02 296486 /usr/lib/locale/locale-archive
    b6980000-b6986000 r--p 01a88000 ca:02 296486 /usr/lib/locale/locale-archive
    b6986000-b69b9000 r--p 01a50000 ca:02 296486 /usr/lib/locale/locale-archive
    b69b9000-b69ba000 r--p 0124e000 ca:02 296486 /usr/lib/locale/locale-archive
    b69ba000-b69bd000 rw-p b69ba000 00:00 0
    b69bd000-b69f8000 r-xp 00000000 ca:02 1098748 /lib/libsepol.so.1
    b69f8000-b69f9000 rw-p 0003b000 ca:02 1098748 /lib/libsepol.so.1
    b69f9000-b6a03000 rw-p b69f9000 00:00 0
    b6a03000-b6a19000 r-xp 00000000 ca:02 1098754 /lib/libselinux.so.1
    b6a19000-b6a1b000 rw-p 00015000 ca:02 1098754 /lib/libselinux.so.1
    b6a1b000-b6a1d000 r-xp 00000000 ca:02 1097734 /lib/libkeyutils-1.2.so
    b6a1d000-b6a1e000 rw-p 00001000 ca:02 1097734 /lib/libkeyutils-1.2.so
    b6a1e000-b6a1f000 rw-p b6a1e000 00:00 0
    b6a1f000-b6a27000 r-xp 00000000 ca:02 296254 /usr/lib/libkrb5support.so.0.1
    b6a27000-b6a28000 rw-p 00007000 ca:02 296254 /usr/lib/libkrb5support.so.0.1
    b6a28000-b6a2d000 r-xp 00000000 ca:02 296354 /usr/lib/libXdmcp.so.6.0.0
    b6a2d000-b6a2e000 rw-p 00004000 ca:02 296354 /usr/lib/libXdmcp.so.6.0.0
    b6a2e000-b6a30000 r-xp 00000000 ca:02 296344 /usr/lib/libXau.so.6.0.0
    b6a30000-b6a31000 rw-p 00001000 ca:02 296344 /usr/lib/libXau.so.6.0.0
    b6a31000-b6a48000 r-xp 00000000 ca:02 1097914 /lib/libaudit.so.0.0.0
    b6a48000-b6a4a000 rw-p 00016000 ca:02 1097914 /lib/libaudit.so.0.0.0
    b6a4a000-b6a55000 r-xp 00000000 ca:02 1101280 /lib/libgcc_s-4.1.2-20080825.so.1
    b6a55000-b6a56000 rw-p 0000a000 ca:02 1101280 /lib/libgcc_s-4.1.2-20080825.so.1
    b6a56000-b6a57000 rw-p b6a56000 00:00 0
    b6a57000-b6b35000 r-xp 00000000 ca:02 296025 /usr/lib/libstdc++.so.6.0.8
    b6b35000-b6b38000 r--p 000dd000 ca:02 296025 /usr/lib/libstdc++.so.6.0.8
    b6b38000-b6b3a000 rw-p 000e0000 ca:02 296025 /usr/lib/libstdc++.so.6.0.8
    b6b3a000-b6b40000 rw-p b6b3a000 00:00 0
    b6b40000-b6b52000 r-xp 00000000 ca:02 1097814 /lib/libz.so.1.2.3
    b6b52000-b6b53000 rw-p 00011000 ca:02 1097814 /lib/libz.so.1.2.3
    b6b53000-b6b64000 r-xp 00000000 ca:02 1099596 /lib/libresolv-2.5.so
    b6b64000-b6b65000 r--p 00010000 ca:02 1099596 /lib/libresolv-2.5.so
    b6b65000-b6b66000 rw-p 00011000 ca:02 1099596 /lib/libresolv-2.5.so
    b6b66000-b6b68000 rw-p b6b66000 00:00 0
    b6b68000-b6cbf000 r-xp 00000000 ca:02 1097816 /lib/libc-2.5.so
    b6cbf000-b6cc1000 r--p 00156000 ca:02 1097816 /lib/libc-2.5.so
    b6cc1000-b6cc2000 rw-p 00158000 ca:02 1097816 /lib/libc-2.5.so
    b6cc2000-b6cc5000 rw-p b6cc2000 00:00 0
    b6cc5000-b6de6000 r-xp 00000000 ca:02 115040 /opt/xml2/lib/libxml2.so.2.9.0
    b6de6000-b6deb000 rw-p 00121000 ca:02 115040 /opt/xml2/lib/libxml2.so.2.9.0
    b6deb000-b6ded000 rw-p b6deb000 00:00 0
    b6ded000-b6e22000 r-xp 00000000 ca:02 115402 /opt/xslt/lib/libxslt.so.1.1.27
    b6e22000-b6e23000 rw-p 00035000 ca:02 115402 /opt/xslt/lib/libxslt.so.1.1.27
    b6e23000-b6e39000 r-xp 00000000 ca:02 1097915 /lib/libpthread-2.5.so
    b6e39000-b6e3a000 r--p 00015000 ca:02 1097915 /lib/libpthread-2.5.so
    b6e3a000-b6e3b000 rw-p 00016000 ca:02 1097915 /lib/libpthread-2.5.so
    b6e3b000-b6e3d000 rw-p b6e3b000 00:00 0
    b6e3d000-b7009000 r-xp 00000000 ca:02 50378 /usr/lib/libmysqlclient.so.16.0.0
    b7009000-b7052000 rw-p 001cc000 ca:02 50378 /usr/lib/libmysqlclient.so.16.0.0
    b7052000-b7053000 rw-p b7052000 00:00 0
    b7053000-b7083000 r-xp 00000000 ca:02 295160 /usr/lib/libidn.so.11.5.19
    b7083000-b7084000 rw-p 0002f000 ca:02 295160 /usr/lib/libidn.so.11.5.19
    b7084000-b70d4000 r-xp 00000000 ca:02 114828 /opt/curlssl/lib/libcurl.so.4.2.0
    b70d4000-b70d6000 rw-p 0004f000 ca:02 114828 /opt/curlssl/lib/libcurl.so.4.2.0
    b70d6000-b70d8000 r-xp 00000000 ca:02 1097733 /lib/libcom_err.so.2.1
    b70d8000-b70d9000 rw-p 00001000 ca:02 1097733 /lib/libcom_err.so.2.1
    b70d9000-b70da000 rw-p b70d9000 00:00 0
    b70da000-b7100000 r-xp 00000000 ca:02 295970 /usr/lib/libk5crypto.so.3.1
    b7100000-b7101000 rw-p 00025000 ca:02 295970 /usr/lib/libk5crypto.so.3.1
    b7101000-b7195000 r-xp 00000000 ca:02 296212 /usr/lib/libkrb5.so.3.3
    b7195000-b7198000 rw-p 00093000 ca:02 296212 /usr/lib/libkrb5.so.3.3
    b7198000-b71c4000 r-xp 00000000 ca:02 296255 /usr/lib/libgssapi_krb5.so.2.2
    b71c4000-b71c5000 rw-p 0002c000 ca:02 296255 /usr/lib/libgssapi_krb5.so.2.2
    b71c5000-b71da000 r-xp 00000000 ca:02 1099588 /lib/libnsl-2.5.so
    b71da000-b71db000 r--p 00014000 ca:02 1099588 /lib/libnsl-2.5.so
    b71db000-b71dc000 rw-p 00015000 ca:02 1099588 /lib/libnsl-2.5.so
    b71dc000-b71de000 rw-p b71dc000 00:00 0
    b71de000-b721a000 r-xp 00000000 ca:02 114692 /opt/pcre/lib/libpcre.so.0.0.1
    b721a000-b721b000 rw-p 0003b000 ca:02 114692 /opt/pcre/lib/libpcre.so.0.0.1
    b721b000-b721c000 rw-p b721b000 00:00 0
    b721c000-b722c000 r-xp 00000000 ca:02 296039 /usr/lib/libbz2.so.1.0.3
    b722c000-b722d000 rw-p 00010000 ca:02 296039 /usr/lib/libbz2.so.1.0.3
    b722d000-b724e000 r-xp 00000000 ca:02 296260 /usr/lib/libjpeg.so.62.0.0
    b724e000-b724f000 rw-p 00020000 ca:02 296260 /usr/lib/libjpeg.so.62.0.0
    b724f000-b7274000 r-xp 00000000 ca:02 296342 /usr/lib/libpng12.so.0.10.0
    b7274000-b7275000 rw-p 00024000 ca:02 296342 /usr/lib/libpng12.so.0.10.0
    b7275000-b7285000 r-xp 00000000 ca:02 296584 /usr/lib/libXpm.so.4.11.0
    b7285000-b7286000 rw-p 00010000 ca:02 296584 /usr/lib/libXpm.so.4.11.0
    b7286000-b7385000 r-xp 00000000 ca:02 296582 /usr/lib/libX11.so.6.2.0
    b7385000-b7389000 rw-p 000ff000 ca:02 296582 /usr/lib/libX11.so.6.2.0
    b7389000-b7406000 r-xp 00000000 ca:02 294913 /usr/lib/libfreetype.so.6.3.10
    b7406000-b7409000 rw-p 0007d000 ca:02 294913 /usr/lib/libfreetype.so.6.3.10
    b7409000-b740a000 rw-p b7409000 00:00 0
    b740a000-b7414000 r-xp 00000000 ca:02 1097819 /lib/libpam.so.0.81.5
    b7414000-b7415000 rw-p 0000a000 ca:02 1097819 /lib/libpam.so.0.81.5
    b7415000-b745b000 r-xp 00000000 ca:02 1097897 /lib/libssl.so.0.9.8e
    b745b000-b745f000 rw-p 00045000 ca:02 1097897 /lib/libssl.so.0.9.8e
    b745f000-b7589000 r-xp 00000000 ca:02 1097876 /lib/libcrypto.so.0.9.8e
    b7589000-b759d000 rw-p 00129000 ca:02 1097876 /lib/libcrypto.so.0.9.8e
    b759d000-b75a0000 rw-p b759d000 00:00 0
    b75a0000-b75a6000 r-xp 00000000 ca:02 296371 /usr/lib/libltdl.so.3.1.4
    b75a6000-b75a7000 rw-p 00005000 ca:02 296371 /usr/lib/libltdl.so.3.1.4
    b75a7000-b75ce000 r-xp 00000000 ca:02 115374 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b75ce000-b75d1000 rw-p 00027000 ca:02 115374 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    b75d1000-b75d6000 rw-p b75d1000 00:00 0
    b75d6000-b75d7000 r-xp 00000000 ca:02 296631 /usr/lib/libpspell.so.15.1.3
    b75d7000-b75d8000 rw-p 00000000 ca:02 296631 /usr/lib/libpspell.so.15.1.3
    b75d8000-b75d9000 rw-p b75d8000 00:00 0
    b75d9000-b7692000 r-xp 00000000 ca:02 296629 /usr/lib/libaspell.so.15.1.3
    b7692000-b7696000 rw-p 000b8000 ca:02 296629 /usr/lib/libaspell.so.15.1.3
    b7696000-b769a000 rw-p b7696000 00:00 0
    b769a000-b76df000 r-xp 00000000 ca:02 115387 /opt/tidy/lib/libtidy-0.99.so.0.0.0
    b76df000-b76e4000 rw-p 00045000 ca:02 115387 /opt/tidy/lib/libtidy-0.99.so.0.0.0
    b76e4000-b76eb000 r-xp 00000000 ca:02 1099598 /lib/librt-2.5.so
    b76eb000-b76ec000 r--p 00007000 ca:02 1099598 /lib/librt-2.5.so
    b76ec000-b76ed000 rw-p 00008000 ca:02 1099598 /lib/librt-2.5.so
    b76ed000-b76f0000 r-xp 00000000 ca:02 1099584 /lib/libdl-2.5.so
    b76f0000-b76f1000 r--p 00002000 ca:02 1099584 /lib/libdl-2.5.so
    b76f1000-b76f2000 rw-p 00003000 ca:02 1099584 /lib/libdl-2.5.so
    b76f2000-b7719000 r-xp 00000000 ca:02 1099586 /lib/libm-2.5.so
    b7719000-b771a000 r--p 00026000 ca:02 1099586 /lib/libm-2.5.so
    b771a000-b771b000 rw-p 00027000 ca:02 1099586 /lib/libm-2.5.so
    b771b000-b772b000 r-xp 00000000 ca:02 115435 /opt/xslt/lib/libexslt.so.0.8.16
    b772b000-b772c000 rw-p 0000f000 ca:02 115435 /opt/xslt/lib/libexslt.so.0.8.16
    b772c000-b772d000 rw-p b772c000 00:00 0
    b772d000-b7736000 r-xp 00000000 ca:02 1098736 /lib/libcrypt-2.5.so
    b7736000-b7737000 r--p 00008000 ca:02 1098736 /lib/libcrypt-2.5.so
    b7737000-b7738000 rw-p 00009000 ca:02 1098736 /lib/libcrypt-2.5.so
    b7738000-b775f000 rw-p b7738000 00:00 0
    b775f000-b7765000 r-xp 00000000 ca:02 502021 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
    b7765000-b7766000 rw-p 00005000 ca:02 502021 /usr/local/lib/php/extensions/no-debug-non-zts-20090626/pdo_mysql.so
    b7766000-b7767000 rw-p b7766000 00:00 0
    b7767000-b7768000 r-xp b7767000 00:00 0 [vdso]
    b7768000-b7783000 r-xp 00000000 ca:02 1097845 /lib/ld-2.5.so
    b7783000-b7784000 r--p 0001a000 ca:02 1097845 /lib/ld-2.5.so
    b7784000-b7785000 rw-p 0001b000 ca:02 1097845 /lib/ld-2.5.so
    bf958000-bf96d000 rw-p bffea000 00:00 0 [stack]

    Kira-kira kenapa ya?
    Saya sudah mencoba cek log apache tetapi tidak ada yang bruteforce ataupun yang aneh2.
    Hanya traffic biasa saja.
    Cronjob juga kosong.


    Thanks
     
  2. bintang

    bintang Apprentice 2.0

    Messages:
    434
    Likes Received:
    43
    Trophy Points:
    28
    Abaikan aja mas, normal kok itu. Tiap kali ada yang akses web nya mas. Trus ada yang makan proses load agak lama, jadi masuk deh notifikasi itu.

    #mohon koreksi jika salah#
     
  3. cloud3peace

    cloud3peace Poster 2.0

    Messages:
    161
    Likes Received:
    7
    Trophy Points:
    18
    Iyah sih...
    Saya cek di log gak ada yang aneh2...
    Kemudian saya restart CSFnya ternyata setiap kali restart langsung kirim email lagi.

    Jadi akhirnya saya masukkan ke dalam ignore list.

    Berarti pesan ini aman-aman saja untuk ignore?
     
  4. jaapns

    jaapns Hosting Guru Web Hosting

    Messages:
    3,261
    Likes Received:
    443
    Trophy Points:
    83
    matikan aja dah notifikasinya ( alert) bikin puyeng itu CSF, orang bisa ga tdr nyenyak kalo perhatikan email itu terus ......
     
  5. cloud3peace

    cloud3peace Poster 2.0

    Messages:
    161
    Likes Received:
    7
    Trophy Points:
    18
    Ceritanya matiin secara total atau khusus untuk kasus saya tadi?
    kalau matiin total berarti set 0 di PT_LIMIT?
    Sepertinay kegunaan buat deteksi ada yang pakai resource gede bukan?
    kek cronjob gt?
     
  6. PusatHosting

    PusatHosting Hosting Guru Web Hosting

    Messages:
    3,340
    Likes Received:
    326
    Trophy Points:
    83
    PT_LIMIT = 0
    sejauh ini tidak ada masalah karena rasanya tidak seberapa penting informasi tsb.
     
  7. BennyKusman

    BennyKusman Hosting Guru DWH Guardian Web Hosting (Company)

    Messages:
    2,234
    Likes Received:
    239
    Trophy Points:
    63
    biasa saya taruh di .pignore (process ignore) untuk executable /usr/bin/php
     
  8. cloud3peace

    cloud3peace Poster 2.0

    Messages:
    161
    Likes Received:
    7
    Trophy Points:
    18
    Iyah nih...
    Akhirnya dikasih ignore saja sih.
    Thanks semuanya atas bantuannya :)

    Case closed.
    Silahkan ditutup
     
  9. BennyKusman

    BennyKusman Hosting Guru DWH Guardian Web Hosting (Company)

    Messages:
    2,234
    Likes Received:
    239
    Trophy Points:
    63
    thread closed by request
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...