Suspicious process running under user mysql

shanti

shanti

Verified User
Joined
Apr 8, 2009
Messages
94
Location
Wien / Vienna - Austria
Hello,

lfd is annoying me with constant reports about suspicious MYSQL- process

Executable:

/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted)
Click to expand...

ps
3045 ? S 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/princess.pid
3103 ? Sl 0:00 \_ /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/princess
Click to expand...

i already added

exe:/usr/sbin/mysqld
exe:/usr/bin/mysqld_safe
Click to expand...

to /etc/cfs/cfs.pignore (also restarting the lfd/csf services) but this mail keeps bouncing up

DA-version is 1.33.3, really recently setup .. can please someone give me a hint what runs wrong here ?

thank you and best regards

-c-
 
shanti said:
Hello,

lfd is annoying me with constant reports about suspicious MYSQL- process



ps


i already added



to /etc/cfs/cfs.pignore (also restarting the lfd/csf services) but this mail keeps bouncing up

DA-version is 1.33.3, really recently setup .. can please someone give me a hint what runs wrong here ?

thank you and best regards

-c-
Click to expand...

i have the same problem here :(
 
restart the process like its written in the doku, get new PID

"
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
"
 
Last edited:
I'm using the config (csf.pignore) below and everything works as it should.
Code: 
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/sbin/httpd
exe:/usr/local/php4/bin/php-cgi
exe:/usr/local/php5/bin/php-cgi
exe:/usr/local/php6/bin/php-cgi
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/dovecot-auth
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/local/directadmin/directadmin
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/bin/spamc
exe:/usr/local/apache1/bin/httpd
exe:/usr/local/apache2/bin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/httpd
exe:/usr/sbin/named
exe:/usr/sbin/vm-pop3d
exe:/bin/sh
exe:/bin/bash
exe:/usr/sbin/sendmail
exe:/sbin/quotaoff
exe:/bin/tar
exe:/sbin/quotaon
exe:/usr/local/directadmin/dataskq
exe:/usr/sbin/snmpd
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim
exe:/usr/sbin/atd
exe:/usr/bin/webalizer
exe:/usr/bin/perl
exe:/usr/local/directadmin/plugins/Stats_Control/awstats/cgi-bin/awstats.pl
exe:/usr/sbin/nrpe
exe:/usr/sbin/bacula-fd
exe:/usr/local/psa/admin/bin/httpsd
exe:/usr/bin/imapd
exe:/usr/sbin/crond
user:root
user:named
user:apache
user:ntp
user:dbus
user:smmsp
user:postfix
user:www-data
user:dovecot
user:daemon
user:sync
user:admin
user:nobody
user:rpm
user:diradmin
user:mysql
user:webapps
user:majordomo
user:mail
user:exim
user:sshd
user:webalizer
user:mgmt
user:qmaill
user:qmailr
user:qmailq
user:mailman
user:qmails
user:qmaild
user:haldaemon
* Note: Restart CSF/LDF after changing files
 
Thank you for the list. But is`nt adding user:nobody a security risk?
 
You must log in or register to reply here.
Back
Top