Suspicious process running under user

Discussion in 'Masalah Teknik dan Keamanan' started by shara nurul, 6 Mar 2015.

Thread Status:
Not open for further replies.
  1. shara nurul

    shara nurul Apprentice 1.0

    Messages:
    234
    Likes Received:
    1
    Trophy Points:
    18
    Selamat Siang para master DWH ,

    Siang ini saya coba preference email di whm saya arahkan ke email pribadi ,setelah beberapa menit dapat bom email dalam jumlah yang besar ,salah satu judulnya " Suspicious process running under user username ".

    Mungkin ada tahu tentang maksud email tersebut ,apa memang resource username tertentu ada yang sangat tinggi ?

    Dan bagaimana pencegahannnya

    Maaf newbie

    Salam ,
    Shara Nurul
     
  2. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,227
    Likes Received:
    514
    Trophy Points:
    113
    Time: Fri Mar 6 11:09:07 2015 +0700
    PID: 187098 (Parent PID:187098)
    Account: laatansa
    Uptime: 1446754 seconds


    Executable:

    /usr/local/cpanel/3rdparty/php/54/bin/php-cgi


    Command Line (often faked in exploits):

    /usr/local/cpanel/3rdparty/php/54/bin/php-cgi ./frontend/x3/softaculous/index.live.php


    Network connections by the process (if any):

    tcp: 103.28.148.66:35306 -> 76.164.222.115:443


    Files open by the process (if any):

    /usr/local/cpanel/logs/error_log
    (deleted)/home/xxxxxx/public_html/40_theme_package.zip
    /etc/pki/nssdb/cert9.db
    /etc/pki/nssdb/key4.db


    Memory maps by the process (if any):

    00400000-010ad000 r-xp 00000000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
    012ac000-012c4000 rw-p 00cac000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
    012c4000-012e7000 rw-p 00000000 00:00 0
    01ab1000-02a32000 rw-p 00000000 00:00 0 [heap]
    7f2e1ec93000-7f2e1ecb9000 r-xp 00000000 09:01 2888860 /usr/lib64/libnssdbm3.so
    7f2e1ecb9000-7f2e1eeb9000 ---p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
    7f2e1eeb9000-7f2e1eeba000 r--p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
    7f2e1eeba000-7f2e1eebb000 rw-p 00027000 09:01 2888860 /usr/lib64/libnssdbm3.so
    7f2e1eebb000-7f2e1eedf000 r-xp 00000000 09:01 2886407 /usr/lib64/libnsspem.so
    7f2e1eedf000-7f2e1f0de000 ---p 00024000 09:01 2886407 /usr/lib64/libnsspem.so
    7f2e1f0de000-7f2e1f0df000 r--p 00023000 09:01 2886407 /usr/lib64/libnsspem.so
    7f2e1f0df000-7f2e1f0e0000 rw-p 00024000 09:01 2886407 /usr/lib64


    biasanya isi suspicious process running under user xxxxx
    kaya begitu isinya
    tak jarang pula isinya benar2 aksi exploitasi (backdor/rooting(process privileges escalation) oleh attacker)
     
  3. antmediahost

    antmediahost Apprentice 1.0

    Messages:
    262
    Likes Received:
    41
    Trophy Points:
    28
    Kemunginan dari firewall mas, klo di csf tinggal di list di csf.pignore atau tambahin limit memory nya. cmiiw :D
     
  4. shara nurul

    shara nurul Apprentice 1.0

    Messages:
    234
    Likes Received:
    1
    Trophy Points:
    18
    @antimediahost : cara list di csf.pignore atau nambahin limit memorynya gi mana mas ?
     
  5. antmediahost

    antmediahost Apprentice 1.0

    Messages:
    262
    Likes Received:
    41
    Trophy Points:
    28
    melalui WHM akses ke Home > Plugins > ConfigServer Security & Firewall > Firewall Configuration > cari value PT_USERMEM dan naikan.
    jika ingin white list process tertentu, silahkan akes file /etc/csf/csf.pignore dan tambahkan full path dari script yang dicurigai firewall.

    cmiiw :D
     
  6. sentabi

    sentabi Expert 1.0

    Messages:
    681
    Likes Received:
    35
    Trophy Points:
    28
  7. shara nurul

    shara nurul Apprentice 1.0

    Messages:
    234
    Likes Received:
    1
    Trophy Points:
    18
    Ok termakasih para master.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...