Suspicious process running under user

shara nurul · 6 Mar 2015

Selamat Siang para master DWH ,

Siang ini saya coba preference email di whm saya arahkan ke email pribadi ,setelah beberapa menit dapat bom email dalam jumlah yang besar ,salah satu judulnya " Suspicious process running under user username ".

Mungkin ada tahu tentang maksud email tersebut ,apa memang resource username tertentu ada yang sangat tinggi ?

Dan bagaimana pencegahannnya

Maaf newbie

Salam ,
Shara Nurul

junior riau · 6 Mar 2015

Time: Fri Mar 6 11:09:07 2015 +0700
PID: 187098 (Parent PID:187098)
Account: laatansa
Uptime: 1446754 seconds

Executable:

/usr/local/cpanel/3rdparty/php/54/bin/php-cgi

Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/php/54/bin/php-cgi ./frontend/x3/softaculous/index.live.php

Network connections by the process (if any):

tcp: 103.28.148.66:35306 -> 76.164.222.115:443

Files open by the process (if any):

/usr/local/cpanel/logs/error_log
(deleted)/home/xxxxxx/public_html/40_theme_package.zip
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db

Memory maps by the process (if any):

00400000-010ad000 r-xp 00000000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
012ac000-012c4000 rw-p 00cac000 09:01 393477 /usr/local/cpanel/3rdparty/php/54/bin/php-cgi
012c4000-012e7000 rw-p 00000000 00:00 0
01ab1000-02a32000 rw-p 00000000 00:00 0 [heap]
7f2e1ec93000-7f2e1ecb9000 r-xp 00000000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1ecb9000-7f2e1eeb9000 ---p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eeb9000-7f2e1eeba000 r--p 00026000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eeba000-7f2e1eebb000 rw-p 00027000 09:01 2888860 /usr/lib64/libnssdbm3.so
7f2e1eebb000-7f2e1eedf000 r-xp 00000000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1eedf000-7f2e1f0de000 ---p 00024000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1f0de000-7f2e1f0df000 r--p 00023000 09:01 2886407 /usr/lib64/libnsspem.so
7f2e1f0df000-7f2e1f0e0000 rw-p 00024000 09:01 2886407 /usr/lib64

biasanya isi suspicious process running under user xxxxx
kaya begitu isinya
tak jarang pula isinya benar2 aksi exploitasi (backdor/rooting(process privileges escalation) oleh attacker)

antmediahost · 6 Mar 2015

Kemunginan dari firewall mas, klo di csf tinggal di list di csf.pignore atau tambahin limit memory nya. cmiiw

shara nurul · 6 Mar 2015

@antimediahost : cara list di csf.pignore atau nambahin limit memorynya gi mana mas ?

antmediahost · 6 Mar 2015

melalui WHM akses ke Home > Plugins > ConfigServer Security & Firewall > Firewall Configuration > cari value PT_USERMEM dan naikan.
jika ingin white list process tertentu, silahkan akes file /etc/csf/csf.pignore dan tambahkan full path dari script yang dicurigai firewall.

cmiiw

sentabi · 6 Mar 2015

sekalian main ke http://download.configserver.com/csf/readme.txt

shara nurul · 9 Mar 2015

Ok termakasih para master.

Suspicious process running under user

shara nurul

Apprentice 1.0

junior riau

Hosting Guru

antmediahost

Apprentice 1.0

shara nurul

Apprentice 1.0

antmediahost

Apprentice 1.0

sentabi

Expert 2.0

shara nurul

Apprentice 1.0