lfd: Suspicious process running under user

Support for security such as Firewalls and securing linux
Post Reply
rajeshdungrani
Posts: 1
Joined: 2016/07/04 13:33:44

lfd: Suspicious process running under user

Post by rajeshdungrani » 2016/07/04 13:51:46

I am getting this email from my sevrer. Is it a concern?

Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/phonecare/public_html/index.php


Network connections by the process (if any):

tcp: 162.253.153.42:58410 -> 165.254.168.48:465


Files open by the process (if any):



Memory maps by the process (if any):

00400000-00b94000 r-xp 00000000 fd:00 1850184 /usr/bin/php
00d93000-00e55000 rw-p 00793000 fd:00 1850184 /usr/bin/php
00e55000-00e78000 rw-p 00000000 00:00 0
01f7d000-02e30000 rw-p 00000000 00:00 0 [heap]
7fbecc000000-7fbecc021000 rw-p 00000000 00:00 0
7fbecc021000-7fbed0000000 ---p 00000000 00:00 0
7fbed26f1000-7fbed2732000 rw-p 00000000 00:00 0
7fbed2773000-7fbed2ac0000 rw-p 00000000 00:00 0
7fbed2ac0000-7fbed2b20000 r--s 00000000 fd:00 2888729 /var/db/nscd/hosts
7fbed2b20000-7fbed2b36000 r-xp 00000000 fd:00 1179654 /lib64/libgcc_s-4.4.7-20120601.so.1
7fbed2b36000-7fbed2d35000 ---p 00016000 fd:00 1179654 /lib64/libgcc_s-4.4.7-20120601.so.1
7fbed2d35000-7fbed2d36000 rw-p 00015000 fd:00 1179654 /lib64/libgcc_s-4.4.7-20120601.so.1
7fbed2d36000-7fbed2d37000 ---p 00000000 00:00 0
7fbed2d37000-7fbed3737000 rw-p 00000000 00:00 0
7fbed3737000-7fbed373d000 r-xp 00000000 fd:00 2372143 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7fbed373d000-7fbed393d000 ---p 00006000 fd:00 2372143 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7fbed393d000-7fbed393e000 rw-p 00006000 fd:00 2372143 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so
7fbed393e000-7fbed39f6000 r-xp 00000000 fd:00 2367434 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7fbed39f6000-7fbed3bf5000 ---p 000b8000 fd:00 2367434 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7fbed3bf5000-7fbed3bfa000 rw-p 000b7000 fd:00 2367434 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so
7fbed3bfa000-7fbed3c10000 r-xp 00000000 fd:00 2371949 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7fbed3c10000-7fbed3e10000 ---p 00016000 fd:00 2371949 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7fbed3e10000-7fbed3e13000 rw-p 00016000 fd:00 2371949 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so
7fbed3e13000-7fbed3e30000 r-xp 00000000 fd:00 1179699 /lib64/libselinux.so.1
7fbed3e30000-7fbed402f000 ---p 0001d000 fd:00 1179699 /lib64/libselinux.so.1
7fbed402f000-7fbed4030000 r--p 0001c000 fd:00 1179699 /lib64/libselinux.so.1
7fbed4030000-7fbed4031000 rw-p 0001d000 fd:00 1179699 /lib64/libselinux.so.1
7fbed4031000-7fbed4032000 rw-p 00000000 00:00 0
7fbed4032000-7fbed4034000 r-xp 00000000 fd:00 1841069 /usr/lib64/libXau.so.6.0.0
7fbed4034000-7fbed4234000 ---p 00002000 fd:00 1841069 /usr/lib64/libXau.so.6.0.0
7fbed4234000-7fbed4235000 rw-p 00002000 fd:00 1841069 /usr/lib64/libXau.so.6.0.0
7fbed4235000-7fbed4237000 r-xp 00000000 fd:00 1179832 /lib64/libkeyutils.so.1.3
7fbed4237000-7fbed4436000 ---p 00002000 fd:00 1179832 /lib64/libkeyutils.so.1.3
7fbed4436000-7fbed4437000 r--p 00001000 fd:00 1179832 /lib64/libkeyutils.so.1.3
7fbed4437000-7fbed4438000 rw-p 00002000 fd:00 1179832 /lib64/libkeyutils.so.1.3
7fbed4438000-7fbed4442000 r-xp 00000000 fd:00 1180029 /lib64/libkrb5support.so.0.1
7fbed4442000-7fbed4641000 ---p 0000a000 fd:00 1180029 /lib64/libkrb5support.so.0.1
7fbed4641000-7fbed4642000 r--p 00009000 fd:00 1180029 /lib64/libkrb5support.so.0.1
7fbed4642000-7fbed4643000 rw-p 0000a000 fd:00 1180029 /lib64/libkrb5support.so.0.1
7fbed4643000-7fbed4661000 r-xp 00000000 fd:00 1841112 /usr/lib64/libxcb.so.1.1.0
7fbed4661000-7fbed4861000 ---p 0001e000 fd:00 1841112 /usr/lib64/libxcb.so.1.1.0
7fbed4861000-7fbed4862000 rw-p 0001e000 fd:00 1841112 /usr/lib64/libxcb.so.1.1.0
7fbed4862000-7fbed487a000 r-xp 00000000 fd:00 1179715 /lib64/libaudit.so.1.0.0
7fbed487a000-7fbed4a79000 ---p 00018000 fd:00 1179715 /lib64/libaudit.so.1.0.0
7fbed4a79000-7fbed4a7b000 r--p 00017000 fd:00 1179715 /lib64/libaudit.so.1.0.0
7fbed4a7b000-7fbed4a86000 rw-p 00019000 fd:00 1179715 /lib64/libaudit.so.1.0.0
7fbed4a86000-7fbed4a9d000 r-xp 00000000 fd:00 1179686 /lib64/libpthread-2.12.so
7fbed4a9d000-7fbed4c9d000 ---p 00017000 fd:00 1179686 /lib64/libpthread-2.12.so
7fbed4c9d000-7fbed4c9e000 r--p 00017000 fd:00 1179686 /lib64/libpthread-2.12.so
7fbed4c9e000-7fbed4c9f000 rw-p 00018000 fd:00 1179686 /lib64/libpthread-2.12.so
7fbed4c9f000-7fbed4ca3000 rw-p 00000000 00:00 0
7fbed4ca3000-7fbed4ca5000 r-xp 00000000 fd:00 1179653 /lib64/libfreebl3.so
7fbed4ca5000-7fbed4ea4000 ---p 00002000 fd:00 1179653 /lib64/libfreebl3.so
7fbed4ea4000-7fbed4ea5000 r--p 00001000 fd:00 1179653 /lib64/libfreebl3.so
7fbed4ea5000-7fbed4ea6000 rw-p 00002000 fd:00 1179653 /lib64/libfreebl3.so
7fbed4ea6000-7fbed4ebc000 r-xp 00000000 fd:00 1179809 /lib64/libresolv-2.12.so
7fbed4ebc000-7fbed50bc000 ---p 00016000 fd:00 1179809 /lib64/libresolv-2.12.so
7fbed50bc000-7fbed50bd000 r--p 00016000 fd:00 1179809 /lib64/libresolv-2.12.so
7fbed50bd000-7fbed50be000 rw-p 00017000 fd:00 1179809 /lib64/libresolv-2.12.so
7fbed50be000-7fbed50c0000 rw-p 00000000 00:00 0
7fbed50c0000-7fbed524a000 r-xp 00000000 fd:00 1179662 /lib64/libc-2.12.so
7fbed524a000-7fbed544a000 ---p 0018a000 fd:00 1179662 /lib64/libc-2.12.so
7fbed544a000-7fbed544e000 r--p 0018a000 fd:00 1179662 /lib64/libc-2.12.so
7fbed544e000-7fbed5450000 rw-p 0018e000 fd:00 1179662 /lib64/libc-2.12.so
7fbed5450000-7fbed5454000 rw-p 00000000 00:00 0
7fbed5454000-7fbed55a4000 r-xp 00000000 fd:00 2627907 /opt/xml2/lib/libxml2.so.2.9.2
7fbed55a4000-7fbed57a3000 ---p 00150000 fd:00 2627907 /opt/xml2/lib/libxml2.so.2.9.2
7fbed57a3000-7fbed57ad000 rw-p 0014f000 fd:00 2627907 /opt/xml2/lib/libxml2.so.2.9.2
7fbed57ad000-7fbed57ae000 rw-p 00000000 00:00 0
7fbed57ae000-7fbed5846000 r-xp 00000000 fd:00 1835576 /usr/lib64/libfreetype.so.6.3.22
7fbed5846000-7fbed5a45000 ---p 00098000 fd:00 1835576 /usr/lib64/libfreetype.so.6.3.22
7fbed5a45000-7fbed5a4b000 rw-p 00097000 fd:00 1835576 /usr/lib64/libfreetype.so.6.3.22
7fbed5a4b000-7fbed5a7d000 r-xp 00000000 fd:00 1179742 /lib64/libidn.so.11.6.1
7fbed5a7d000-7fbed5c7c000 ---p 00032000 fd:00 1179742 /lib64/libidn.so.11.6.1
7fbed5c7c000-7fbed5c7d000 rw-p 00031000 fd:00 1179742 /lib64/libidn.so.11.6.1
7fbed5c7d000-7fbed5cda000 r-xp 00000000 fd:00 2627460 /opt/curlssl/lib/libcurl.so.4.3.0
7fbed5cda000-7fbed5ed9000 ---p 0005d000 fd:00 2627460 /opt/curlssl/lib/libcurl.so.4.3.0
7fbed5ed9000-7fbed5edc000 rw-p 0005c000 fd:00 2627460 /opt/curlssl/lib/libcurl.so.4.3.0
7fbed5edc000-7fbed5edf000 r-xp 00000000 fd:00 1179724 /lib64/libcom_err.so.2.1
7fbed5edf000-7fbed60de000 ---p 00003000 fd:00 1179724 /lib64/libcom_err.so.2.1
7fbed60de000-7fbed60df000 r--p 00002000 fd:00 1179724 /lib64/libcom_err.so.2.1
7fbed60df000-7fbed60e0000 rw-p 00003000 fd:00 1179724 /lib64/libcom_err.so.2.1
7fbed60e0000-7fbed6109000 r-xp 00000000 fd:00 1179836 /lib64/libk5crypto.so.3.1
7fbed6109000-7fbed6309000 ---p 00029000 fd:00 1179836 /lib64/libk5crypto.so.3.1
7fbed6309000-7fbed630a000 r--p 00029000 fd:00 1179836 /lib64/libk5crypto.so.3.1
7fbed630a000-7fbed630b000 rw-p 0002a000 fd:00 1179836 /lib64/libk5crypto.so.3.1
7fbed630b000-7fbed630c000 rw-p 00000000 00:00 0
7fbed630c000-7fbed63e7000 r-xp 00000000 fd:00 1180027 /lib64/libkrb5.so.3.3
7fbed63e7000-7fbed65e7000 ---p 000db000 fd:00 1180027 /lib64/libkrb5.so.3.3
7fbed65e7000-7fbed65f1000 r--p 000db000 fd:00 1180027 /lib64/libkrb5.so.3.3
7fbed65f1000-7fbed65f3000 rw-p 000e5000 fd:00 1180027 /lib64/libkrb5.so.3.3
7fbed65f3000-7fbed6634000 r-xp 00000000 fd:00 1179736 /lib64/libgssapi_krb5.so.2.2
7fbed6634000-7fbed6834000 ---p 00041000 fd:00 1179736 /lib64/libgssapi_krb5.so.2.2
7fbed6834000-7fbed6835000 r--p 00041000 fd:00 1179736 /lib64/libgssapi_krb5.so.2.2
7fbed6835000-7fbed6837000 rw-p 00042000 fd:00 1179736 /lib64/libgssapi_krb5.so.2.2
7fbed6837000-7fbed684d000 r-xp 00000000 fd:00 1179780 /lib64/libnsl-2.12.so
7fbed684d000-7fbed6a4c000 ---p 00016000 fd:00 1179780 /lib64/libnsl-2.12.so
7fbed6a4c000-7fbed6a4d000 r--p 00015000 fd:00 1179780 /lib64/libnsl-2.12.so
7fbed6a4d000-7fbed6a4e000 rw-p 00016000 fd:00 1179780 /lib64/libnsl-2.12.so
7fbed6a4e000-7fbed6a50000 rw-p 00000000 00:00 0
7fbed6a50000-7fbed6a52000 r-xp 00000000 fd:00 1179730 /lib64/libdl-2.12.so
7fbed6a52000-7fbed6c52000 ---p 00002000 fd:00 1179730 /lib64/libdl-2.12.so
7fbed6c52000-7fbed6c53000 r--p 00002000 fd:00 1179730 /lib64/libdl-2.12.so
7fbed6c53000-7fbed6c54000 rw-p 00003000 fd:00 1179730 /lib64/libdl-2.12.so
7fbed6c54000-7fbed6cd7000 r-xp 00000000 fd:00 1179776 /lib64/libm-2.12.so
7fbed6cd7000-7fbed6ed6000 ---p 00083000 fd:00 1179776 /lib64/libm-2.12.so
7fbed6ed6000-7fbed6ed7000 r--p 00082000 fd:00 1179776 /lib64/libm-2.12.so
7fbed6ed7000-7fbed6ed8000 rw-p 00083000 fd:00 1179776 /lib64/libm-2.12.so
7fbed6ed8000-7fbed6edf000 r-xp 00000000 fd:00 1179818 /lib64/librt-2.12.so
7fbed6edf000-7fbed70de000 ---p 00007000 fd:00 1179818 /lib64/librt-2.12.so
7fbed70de000-7fbed70df000 r--p 00006000 fd:00 1179818 /lib64/librt-2.12.so
7fbed70df000-7fbed70e0000 rw-p 00007000 fd:00 1179818 /lib64/librt-2.12.so
7fbed70e0000-7fbed7123000 r-xp 00000000 fd:00 2631095 /opt/pcre/lib/libpcre.so.1.2.6
7fbed7123000-7fbed7322000 ---p 00043000 fd:00 2631095 /opt/pcre/lib/libpcre.so.1.2.6
7fbed7322000-7fbed7323000 rw-p 00042000 fd:00 2631095 /opt/pcre/lib/libpcre.so.1.2.6
7fbed7323000-7fbed7362000 r-xp 00000000 fd:00 1837935 /usr/lib64/libjpeg.so.62.0.0
7fbed7362000-7fbed7562000 ---p 0003f000 fd:00 1837935 /usr/lib64/libjpeg.so.62.0.0
7fbed7562000-7fbed7563000 rw-p 0003f000 fd:00 1837935 /usr/lib64/libjpeg.so.62.0.0
7fbed7563000-7fbed7573000 rw-p 00000000 00:00 0
7fbed7573000-7fbed7588000 r-xp 00000000 fd:00 1179714 /lib64/libz.so.1.2.3
7fbed7588000-7fbed7787000 ---p 00015000 fd:00 1179714 /lib64/libz.so.1.2.3
7fbed7787000-7fbed7788000 r--p 00014000 fd:00 1179714 /lib64/libz.so.1.2.3
7fbed7788000-7fbed7789000 rw-p 00015000 fd:00 1179714 /lib64/libz.so.1.2.3
7fbed7789000-7fbed77ae000 r-xp 00000000 fd:00 1837945 /usr/lib64/libpng12.so.0.49.0
7fbed77ae000-7fbed79ae000 ---p 00025000 fd:00 1837945 /usr/lib64/libpng12.so.0.49.0
7fbed79ae000-7fbed79af000 rw-p 00025000 fd:00 1837945 /usr/lib64/libpng12.so.0.49.0
7fbed79af000-7fbed79c0000 r-xp 00000000 fd:00 1843667 /usr/lib64/libXpm.so.4.11.0
7fbed79c0000-7fbed7bbf000 ---p 00011000 fd:00 1843667 /usr/lib64/libXpm.so.4.11.0
7fbed7bbf000-7fbed7bc0000 rw-p 00010000 fd:00 1843667 /usr/lib64/libXpm.so.4.11.0
7fbed7bc0000-7fbed7cf7000 r-xp 00000000 fd:00 1843660 /usr/lib64/libX11.so.6.3.0
7fbed7cf7000-7fbed7ef7000 ---p 00137000 fd:00 1843660 /usr/lib64/libX11.so.6.3.0
7fbed7ef7000-7fbed7efd000 rw-p 00137000 fd:00 1843660 /usr/lib64/libX11.so.6.3.0
7fbed7efd000-7fbed7f09000 r-xp 00000000 fd:00 1180040 /lib64/libpam.so.0.82.2
7fbed7f09000-7fbed8109000 ---p 0000c000 fd:00 1180040 /lib64/libpam.so.0.82.2
7fbed8109000-7fbed810a000 r--p 0000c000 fd:00 1180040 /lib64/libpam.so.0.82.2
7fbed810a000-7fbed810b000 rw-p 0000d000 fd:00 1180040 /lib64/libpam.so.0.82.2
7fbed810b000-7fbed8114000 r-xp 00000000 fd:00 1844747 /usr/lib64/libltdl.so.7.2.1
7fbed8114000-7fbed8313000 ---p 00009000 fd:00 1844747 /usr/lib64/libltdl.so.7.2.1
7fbed8313000-7fbed8314000 rw-p 00008000 fd:00 1844747 /usr/lib64/libltdl.so.7.2.1
7fbed8314000-7fbed833e000 r-xp 00000000 fd:00 2626945 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fbed833e000-7fbed853d000 ---p 0002a000 fd:00 2626945 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fbed853d000-7fbed8541000 rw-p 00029000 fd:00 2626945 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fbed8541000-7fbed8546000 rw-p 00000000 00:00 0
7fbed8546000-7fbed8820000 r-xp 00000000 fd:00 1851166 /usr/lib64/libmysqlclient.so.18.0.0
7fbed8820000-7fbed8a1f000 ---p 002da000 fd:00 1851166 /usr/lib64/libmysqlclient.so.18.0.0
7fbed8a1f000-7fbed8aa3000 rw-p 002d9000 fd:00 1851166 /usr/lib64/libmysqlclient.so.18.0.0
7fbed8aa3000-7fbed8aa8000 rw-p 00000000 00:00 0
7fbed8aa8000-7fbed8b0a000 r-xp 00000000 fd:00 1840411 /usr/lib64/libssl.so.1.0.1e
7fbed8b0a000-7fbed8d09000 ---p 00062000 fd:00 1840411 /usr/lib64/libssl.so.1.0.1e
7fbed8d09000-7fbed8d0d000 r--p 00061000 fd:00 1840411 /usr/lib64/libssl.so.1.0.1e
7fbed8d0d000-7fbed8d14000 rw-p 00065000 fd:00 1840411 /usr/lib64/libssl.so.1.0.1e
7fbed8d14000-7fbed8ece000 r-xp 00000000 fd:00 1837184 /usr/lib64/libcrypto.so.1.0.1e
7fbed8ece000-7fbed90cd000 ---p 001ba000 fd:00 1837184 /usr/lib64/libcrypto.so.1.0.1e
7fbed90cd000-7fbed90e8000 r--p 001b9000 fd:00 1837184 /usr/lib64/libcrypto.so.1.0.1e
7fbed90e8000-7fbed90f4000 rw-p 001d4000 fd:00 1837184 /usr/lib64/libcrypto.so.1.0.1e
7fbed90f4000-7fbed90f8000 rw-p 00000000 00:00 0
7fbed90f8000-7fbed90ff000 r-xp 00000000 fd:00 1179666 /lib64/libcrypt-2.12.so
7fbed90ff000-7fbed92ff000 ---p 00007000 fd:00 1179666 /lib64/libcrypt-2.12.so
7fbed92ff000-7fbed9300000 r--p 00007000 fd:00 1179666 /lib64/libcrypt-2.12.so
7fbed9300000-7fbed9301000 rw-p 00008000 fd:00 1179666 /lib64/libcrypt-2.12.so
7fbed9301000-7fbed932f000 rw-p 00000000 00:00 0
7fbed932f000-7fbed934f000 r-xp 00000000 fd:00 1179651 /lib64/ld-2.12.so
7fbed936e000-7fbed93a3000 r--s 00000000 fd:00 2888730 /var/db/nscd/services
7fbed93a3000-7fbed9545000 rw-p 00000000 00:00 0
7fbed954d000-7fbed954e000 rw-p 00000000 00:00 0
7fbed954e000-7fbed954f000 r--p 0001f000 fd:00 1179651 /lib64/ld-2.12.so
7fbed954f000-7fbed9550000 rw-p 00020000 fd:00 1179651 /lib64/ld-2.12.so
7fbed9550000-7fbed9551000 rw-p 00000000 00:00 0
7ffeb93f9000-7ffeb940e000 rw-p 00000000 00:00 0 [stack]
7ffeb9502000-7ffeb9503000 r-xp 00000000 00:00 0 [vdso]
Top
aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: lfd: Suspicious process running under user

Post by aks » 2016/07/04 17:33:25

Is it a concern?
Possibly (insufficient information to know for sure).

The host @165.254.168.48 doesn't have a reverse record (or at least Google's DNS can not find a PTR for it).
Which may or may not mean trouble.
Files open by the process (if any):
So are we 100% certain that no files have been opened by the process (you don't say how this information is gleamed)?

As for the memory stuff, that may/will change according to state.
But we can gleam that no-debug-non-zts is a PHP extension often used in wordpress (just google it). That doesn't mean it's only used by wordpress, but it seems to be fairly strongly associated with wordpress.

Not much help - perhaps have a look at what the site is really doing.
Top
giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: UK

Re: lfd: Suspicious process running under user

Post by giulix63 » 2016/07/05 06:39:56

165.254.168.48 may not be suspicious, but 162.253.153.42 certainly is (or has been)...
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.
Top
Post Reply

Return to “CentOS 7 - Security Support”