Suspicious process running under user


Status
Not open for further replies.

shara nurul

Apprentice 1.0
Selamat Siang para master DWH ,

Siang ini saya coba preference email di whm saya arahkan ke email pribadi ,setelah beberapa menit dapat bom email dalam jumlah yang besar ,salah satu judulnya " Suspicious process running under user username ".

Mungkin ada tahu tentang maksud email tersebut ,apa memang resource username tertentu ada yang sangat tinggi ?

Dan bagaimana pencegahannnya

Maaf newbie

Salam ,
Shara Nurul
 

junior riau

Hosting Guru
Verified Provider
Time: Fri Mar 6 11:09:07 2015 +0700
PID: 187098 (Parent PID:187098)
Account: laatansa
Uptime: 1446754 seconds


Executable:

/usr/local/cpanel/3rdparty/php/54/bin/php-cgi


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/php/54/bin/php-cgi ./frontend/x3/softaculous/index.live.php


Network connections by the process (if any):

tcp: 103.28.148.66:35306 -> 76.164.222.115:443


Files open by the process (if any):

/usr/local/cpanel/logs/error_log
(deleted)/home/xxxxxx/public_html/40_theme_package.zip
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db


Memory maps by the process (if any):

00400000-010ad000 r-xp 00000000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
012ac000-012c4000 rw-p 00cac000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
012c4000-012e7000 rw-p 00000000 00:00 0
01ab1000-02a32000 rw-p 00000000 00:00 0 [heap]
7f2e1ec93000-7f2e1ecb9000 r-xp 00000000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1ecb9000-7f2e1eeb9000 ---p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eeb9000-7f2e1eeba000 r--p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eeba000-7f2e1eebb000 rw-p 00027000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eebb000-7f2e1eedf000 r-xp 00000000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1eedf000-7f2e1f0de000 ---p 00024000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1f0de000-7f2e1f0df000 r--p 00023000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1f0df000-7f2e1f0e0000 rw-p 00024000 09:01 2886407 /usr/lib64


biasanya isi suspicious process running under user xxxxx
kaya begitu isinya
tak jarang pula isinya benar2 aksi exploitasi (backdor/rooting(process privileges escalation) oleh attacker)
 
Status
Not open for further replies.

Top