Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > lfd: Excessive resource usage and suspicious process


lfd: Excessive resource usage and suspicious process




Posted by troller22, 03-16-2016, 12:10 PM
Hi all, after configured a new server I am getting the following messages over and over again. I guess it takes up to 15 minutes until the next mail pops up in my inbox: Message: Time: Wed Mar 16 16:45:22 2016 +0100 Account: xxx Resource: Process Time Exceeded: 1833 > 1800 (seconds) Executable: /usr/bin/php Command Line: /usr/bin/php PID: 12617 (Parent PID:12464) Killed: No Is the process time of 1833 so unusual? Next message I get is: Suspicious process running Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php Network connections by the process (if any): tcp: My server IP:48661 -> 171.111.154.242:80 Files open by the process (if any): /usr/local/apache/logs/error_log /usr/local/apache/logs/error_log /var/cpanel/locale/en.cdb /tmp/sess_7e6cd0ea051cec5b02bafba36f49d8b2 Memory maps by the process (if any): 00400000-00a7b000 r-xp 00000000 08:15 3678290 /usr/bin/php 00c7a000-00d22000 r--p 0067a000 08:15 3678290 /usr/bin/php 00d22000-00d33000 rw-p 00722000 08:15 3678290 /usr/bin/php 00d33000-00d56000 rw-p 00000000 00:00 0 02109000-04362000 rw-p 00000000 00:00 0 [heap] 7febc0000000-7febc0021000 rw-p 00000000 00:00 0 7febc0021000-7febc4000000 ---p 00000000 00:00 0 7febc5fff000-7febc6034000 r--s 00000000 08:15 526951 /var/db/nscd/hosts 7febc6034000-7febc6049000 r-xp 00000000 08:15 3678927 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7febc6049000-7febc6248000 ---p 00015000 08:15 3678927 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7febc6248000-7febc6249000 r--p 00014000 08:15 3678927 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7febc6249000-7febc624a000 rw-p 00015000 08:15 3678927 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 7febc624a000-7febc624b000 ---p 00000000 00:00 0 7febc624b000-7febc6a4b000 rw-p 00000000 00:00 0 7febc6a4b000-7febc6a52000 r-xp 00000000 08:15 5114241 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so 7febc6a52000-7febc6c51000 ---p 00007000 08:15 5114241 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so 7febc6c51000-7febc6c52000 r--p 00006000 08:15 5114241 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so 7febc6c52000-7febc6c53000 rw-p 00007000 08:15 5114241 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_mysql.so 7febc6c53000-7febc6d0a000 r-xp 00000000 08:15 5114243 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so 7febc6d0a000-7febc6f0a000 ---p 000b7000 08:15 5114243 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so 7febc6f0a000-7febc6f0c000 r--p 000b7000 08:15 5114243 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so 7febc6f0c000-7febc6f0f000 rw-p 000b9000 08:15 5114243 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo_sqlite.so 7febc6f0f000-7febc6f28000 r-xp 00000000 08:15 5114218 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so 7febc6f28000-7febc7127000 ---p 00019000 08:15 5114218 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so 7febc7127000-7febc712a000 r--p 00018000 08:15 5114218 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so 7febc712a000-7febc712b000 rw-p 0001b000 08:15 5114218 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/pdo.so 7febc712b000-7febc714a000 r-xp 00000000 08:15 5115478 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so 7febc714a000-7febc734a000 ---p 0001f000 08:15 5115478 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so 7febc734a000-7febc734d000 r--p 0001f000 08:15 5115478 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so 7febc734d000-7febc7350000 rw-p 00022000 08:15 5115478 /usr/local/lib/php/extensions/no-debug-non-zts-20121212/suhosin.so 7febc7350000-7febc7352000 rw-p 00000000 00:00 0 7febc7352000-7febc7373000 r-xp 00000000 08:15 3670883 /usr/lib64/libselinux.so.1 7febc7373000-7febc7573000 ---p 00021000 08:15 3670883 /usr/lib64/libselinux.so.1 7febc7573000-7febc7574000 r--p 00021000 08:15 3670883 /usr/lib64/libselinux.so.1 7febc7574000-7febc7575000 rw-p 00022000 08:15 3670883 /usr/lib64/libselinux.so.1 7febc7575000-7febc7577000 rw-p 00000000 00:00 0 7febc7577000-7febc7579000 r-xp 00000000 08:15 3671919 /usr/lib64/libXau.so.6.0.0 7febc7579000-7febc7779000 ---p 00002000 08:15 3671919 /usr/lib64/libXau.so.6.0.0 7febc7779000-7febc777a000 r--p 00002000 08:15 3671919 /usr/lib64/libXau.so.6.0.0 7febc777a000-7febc777b000 rw-p 00003000 08:15 3671919 /usr/lib64/libXau.so.6.0.0 7febc777b000-7febc777e000 r-xp 00000000 08:15 3671634 /usr/lib64/libkeyutils.so.1.5 7febc777e000-7febc797d000 ---p 00003000 08:15 3671634 /usr/lib64/libkeyutils.so.1.5 7febc797d000-7febc797e000 r--p 00002000 08:15 3671634 /usr/lib64/libkeyutils.so.1.5 7febc797e000-7febc797f000 rw-p 00003000 08:15 3671634 /usr/lib64/libkeyutils.so.1.5 7febc797f000-7febc798c000 r-xp 00000000 08:15 3675574 /usr/lib64/libkrb5support.so.0.1 7febc798c000-7febc7b8c000 ---p 0000d000 08:15 3675574 /usr/lib64/libkrb5support.so.0.1 7febc7b8c000-7febc7b8d000 r--p 0000d000 08:15 3675574 /usr/lib64/libkrb5support.so.0.1 7febc7b8d000-7febc7b8e000 rw-p 0000e000 08:15 3675574 /usr/lib64/libkrb5support.so.0.1 7febc7b8e000-7febc7baf000 r-xp 00000000 08:15 3671964 /usr/lib64/libxcb.so.1.1.0 7febc7baf000-7febc7dae000 ---p 00021000 08:15 3671964 /usr/lib64/libxcb.so.1.1.0 7febc7dae000-7febc7daf000 r--p 00020000 08:15 3671964 /usr/lib64/libxcb.so.1.1.0 7febc7daf000-7febc7db0000 rw-p 00021000 08:15 3671964 /usr/lib64/libxcb.so.1.1.0 7febc7db0000-7febc7dcb000 r-xp 00000000 08:15 3670946 /usr/lib64/libaudit.so.1.0.0 7febc7dcb000-7febc7fcb000 ---p 0001b000 08:15 3670946 /usr/lib64/libaudit.so.1.0.0 7febccdaa000-7febccdab000 rw-p 00000000 00:00 0 7ffd27dce000-7ffd27def000 rw-p 00000000 00:00 0 [stack] 7ffd27def000-7ffd27df1000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] What exactly is that? Thanks for your support.
Posted by UNIXy, 03-16-2016, 01:35 PM
It doesn't look good. It's making an outbound connection to port 80 of a Chinese IP that's some sort of file server (most likely to pull in another shell script). Before you kill it, identify the running PHP script that's attempting to do this and quarantine it. Look things up in /proc// and strace. Review how they were able to upload this script.
Posted by troller22, 03-16-2016, 02:56 PM
Thanks a lot, not sure what I have to look for, can anybody help please?
Posted by Bbnuse, 03-19-2016, 01:08 AM
This is the PID (in bold): So run this: Check any file that those comands return. Keep in mind that the PID is from 3 days ago. The process ID has probably changed, so in that case check the newest PID that lfd has warned you about.
Posted by troller22, 03-19-2016, 07:45 AM
Latest example and output after I entered both IDs running... what should I do with that? root 1307 0.0 0.0 112664 960 pts/0 S+ 12:41 0:00 grep --color=auto 31102 accountname 31102 1.0 0.1 195632 20308 ? S 12:07 0:21 /usr/bin/php root@server [~]# ps aux | grep 30973 root 1354 0.0 0.0 112664 960 pts/0 S+ 12:41 0:00 grep --color=auto 30973 nobody 30973 0.0 0.1 90644 13636 ? S 12:05 0:00 /usr/local/apache/bin/httpd -k start
Posted by Srv24x7, 03-19-2016, 09:38 AM
Hi, The next time you get this, use below command to get more information: lsof -p This will give more information and could be helpful in tracking things down further..
Posted by troller22, 03-20-2016, 01:48 PM
Ok I did that and now I get for example also on WHM the result of what files are in use and they are not in the account itself. I dont really get what this might be.... this is what the suspicious process is using: Network connections by the process (if any): tcp: 188.122.91.104:53451 -> 188.122.91.68:80 Files open by the process (if any): /usr/local/apache/logs/error_log /usr/local/apache/logs/error_log /var/cpanel/locale/en.cdb /tmp/sess_cb63f57f431f2d699394bc1b841962e8
Posted by bear, 03-20-2016, 02:08 PM
How did you come to the conclusion it's a file server and it's grabbing something there?
Posted by Bbnuse, 03-21-2016, 08:42 AM
Scan the files under that user. You can use software like maldet or ClamAV for this.
Posted by UNIXy, 03-21-2016, 08:56 AM
The IP points to a free download site with very suspicious files. They're usually leveraged in a privilege escalation situation (ex: rookit for escalation).
Posted by bear, 03-21-2016, 09:51 AM
How was that determined?
Posted by UNIXy, 03-21-2016, 04:19 PM
Through a google search. Ex: URL, dl.pangu.25pp.com/jb/Pangu9_v1.2.0.exe. IP, 171.111.154.242. ASN, AS4134 Chinanet.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
bigvps down? (Views: 783)
[PowerVPS] Network Down (Views: 764)
reseller tools (Views: 687)
my exim is under attack (Views: 683)
differences between shared and reseller? (Views: 715)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.