Suspicious process running under user ...

Discussion in 'VPS (Virtual Private Server)' started by rahab, 10 Aug 2015.

Thread Status:
Not open for further replies.
  1. rahab

    rahab Poster 1.0

    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
    Malam tuan"

    Saya dapat email notifikasi tentang salah satu akun di vps saja

    Isinya..

    *** ENVELOPE RECORDS maildrop/3B688600BD ***
    message_arrival_time: Mon Aug 10 07:24:17 2015
    named_attribute: rewrite_context=local
    sender_fullname: root
    sender: root
    *** MESSAGE CONTENTS maildrop/3B688600BD ***
    regular_text: From: root
    regular_text: To: root
    regular_text: Subject: lfd on {MY HOSTNAME}: Suspicious process running under user {USER}
    regular_text:
    regular_text: Time: {DATETIME}
    regular_text: PID: 27074 (Parent PID:21396)
    regular_text: Account: {USER}
    regular_text: Uptime: 81 seconds
    regular_text:
    regular_text:
    regular_text: Executable:
    regular_text:
    regular_text: /usr/local/bin/php-cgi
    regular_text:
    regular_text:
    regular_text: Command Line (often faked in exploits):
    regular_text:
    regular_text: /usr/local/bin/php-cgi
    regular_text:
    regular_text:
    regular_text: Network connections by the process (if any):
    regular_text:
    regular_text: tcp: {MY HOST IP}:46357 -> {UNKNOWN IP}:443
    regular_text:
    regular_text:
    regular_text: Files open by the process (if any):
    regular_text:
    regular_text:
    regular_text:
    regular_text: Memory maps by the process (if any):
    regular_text:
    regular_text: 00400000-00dd3000 r-xp 00000000 b6:834c1 15356 /usr/local/bin/php-cgi
    regular_text: 00fd3000-00fe2000 rw-p 009d3000 b6:834c1 15356 /usr/local/bin/php-cgi
    regular_text: 00fe2000-01006000 rw-p 00000000 00:00 0
    regular_text: 02c59000-04cfe000 rw-p 00000000 00:00 0 [heap]
    regular_text: 7f5998d6a000-7f5998d6f000 r-xp 00000000 b6:834c1 524318 /lib64/libnss_dns-2.12.so
    regular_text: 7f5998d6f000-7f5998f6e000 ---p 00005000 b6:834c1 524318 /lib64/libnss_dns-2.12.so
    regular_text: 7f5998f6e000-7f5998f6f000 r--p 00004000 b6:834c1 524318 /lib64/libnss_dns-2.12.so
    regular_text: 7f5998f6f000-7f5998f70000 rw-p 00005000 b6:834c1 524318 /lib64/libnss_dns-2.12.so
    regular_text: 7f5998f70000-7f5998f7c000 r-xp 00000000 b6:834c1 524320 /lib64/libnss_files-2.12.so
    regular_text: 7f5998f7c000-7f599917c000 ---p 0000c000 b6:834c1 524320 /lib64/libnss_files-2.12.so
    regular_text: 7f599917c000-7f599917d000 r--p 0000c000 b6:834c1 524320 /lib64/libnss_files-2.12.so
    regular_text: 7f599917d000-7f599917e000 rw-p 0000d000 b6:834c1 524320 /lib64/libnss_files-2.12.so
    regular_text: 7f599917e000-7f599923f000 rw-p 00000000 00:00 0
    regular_text: 7f59992c0000-7f5999301000 rw-p 00000000 00:00 0
    regular_text: 7f5999342000-7f59997d4000 rw-p 00000000 00:00 0
    regular_text: 7f59997e0000-7f59998e4000 rw-p 00000000 00:00 0
    regular_text: 7f5999914000-7f5999c82000 rw-p 00000000 00:00 0
    regular_text: 7f5999ca7000-7f5999eaf000 rw-p 00000000 00:00 0
    regular_text: 7f5999ed4000-7f5999f15000 rw-p 00000000 00:00 0
    regular_text: 7f5999f15000-7f599a05e000 r-xp 00000000 b6:834c1 272252 /usr/local/ioncube/ioncube_loader_lin_5.4.so
    regular_text: 7f599a05e000-7f599a15d000 ---p 00149000 b6:834c1 272252 /usr/local/ioncube/ioncube_loader_lin_5.4.so
    regular_text: 7f599a15d000-7f599a16d000 rw-p 00148000 b6:834c1 272252 /usr/local/ioncube/ioncube_loader_lin_5.4.so
    regular_text: 7f599a16d000-7f599a170000 rw-p 00000000 00:00 0
    regular_text: 7f599a170000-7f599a18d000 r-xp 00000000 b6:834c1 524805 /lib64/libselinux.so.1
    regular_text: 7f599a18d000-7f599a38c000 ---p 0001d000 b6:834c1 524805 /lib64/libselinux.so.1
    regular_text: 7f599a38c000-7f599a38d000 r--p 0001c000 b6:834c1 524805 /lib64/libselinux.so.1
    regular_text: 7f599a38d000-7f599a38e000 rw-p 0001d000 b6:834c1 524805 /lib64/libselinux.so.1

    regular_text:
    *** HEADER EXTRACTED maildrop/3B688600BD ***
    recipient: root
    *** MESSAGE FILE END maildrop/3B688600BD ***

    What should i do, tuan"?
     
  2. rahab

    rahab Poster 1.0

    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
    Ada opini tuan2?"
     
  3. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
    Rasanya itu warning dari CSF.
     
  4. Stamphosting

    Stamphosting Beginner 2.0

    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    sepertinya warning dari firewall ada file yang mencurign biasanya sih infected excutable file coba di cek directorynya ada file yang nggak dikenal mungkin atau scan dengan clamav
     
  5. rahab

    rahab Poster 1.0

    Messages:
    71
    Likes Received:
    1
    Trophy Points:
    8
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...