CSF : Suspicious process running under user rpc

[groomy]

good evening
after my problems with my hosting provider OVH I end up with errors in csf

Time:    Thu Dec 12 22:11:41 2013 +0100
PID:     4147 (Parent PID:4147)
Account: rpc
Uptime:  78999 seconds


Executable:

/sbin/portmap


Command Line (often faked in exploits):

portmap


Network connections by the process (if any):

udp: 0.0.0.0:111 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

7ff3f85b6000-7ff3f85c0000 r-xp 00000000 09:01 151278                     /lib64/libnss_files-2.5.so
7ff3f85c0000-7ff3f87bf000 ---p 0000a000 09:01 151278                     /lib64/libnss_files-2.5.so
7ff3f87bf000-7ff3f87c0000 r--p 00009000 09:01 151278                     /lib64/libnss_files-2.5.so
7ff3f87c0000-7ff3f87c1000 rw-p 0000a000 09:01 151278                     /lib64/libnss_files-2.5.so
7ff3f87c1000-7ff3f8910000 r-xp 00000000 09:01 147460                     /lib64/libc-2.5.so
7ff3f8910000-7ff3f8b10000 ---p 0014f000 09:01 147460                     /lib64/libc-2.5.so
7ff3f8b10000-7ff3f8b14000 r--p 0014f000 09:01 147460                     /lib64/libc-2.5.so
7ff3f8b14000-7ff3f8b15000 rw-p 00153000 09:01 147460                     /lib64/libc-2.5.so
7ff3f8b15000-7ff3f8b1a000 rw-p 00000000 00:00 0 
7ff3f8b1a000-7ff3f8b2f000 r-xp 00000000 09:01 151276                     /lib64/libnsl-2.5.so
7ff3f8b2f000-7ff3f8d2e000 ---p 00015000 09:01 151276                     /lib64/libnsl-2.5.so
7ff3f8d2e000-7ff3f8d2f000 r--p 00014000 09:01 151276                     /lib64/libnsl-2.5.so
7ff3f8d2f000-7ff3f8d30000 rw-p 00015000 09:01 151276                     /lib64/libnsl-2.5.so
7ff3f8d30000-7ff3f8d32000 rw-p 00000000 00:00 0 
7ff3f8d32000-7ff3f8d4e000 r-xp 00000000 09:01 150533                     /lib64/ld-2.5.so
7ff3f8f3d000-7ff3f8f3f000 rw-p 00000000 00:00 0 
7ff3f8f4c000-7ff3f8f4e000 rw-p 00000000 00:00 0 
7ff3f8f4e000-7ff3f8f4f000 r--p 0001c000 09:01 150533                     /lib64/ld-2.5.so
7ff3f8f4f000-7ff3f8f50000 rw-p 0001d000 09:01 150533                     /lib64/ld-2.5.so
7ff3f8f50000-7ff3f8f59000 r-xp 00000000 09:01 548965                     /sbin/portmap
7ff3f9158000-7ff3f9159000 rw-p 00008000 09:01 548965                     /sbin/portmap
7ff3f9159000-7ff3f917b000 rw-p 00000000 00:00 0                          [heap]
7fffad06b000-7fffad08c000 rw-p 00000000 00:00 0                          [stack]
7fffad1ff000-7fffad200000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r--p 00000000 00:00 0                  [vsyscall]

and for Excessive resource usage: rpcuser (4177 (Parent PID:4177))

Time:         Thu Dec 12 22:12:41 2013 +0100
Account:      rpcuser
Resource:     Process Time
Exceeded:     79059 > 1800 (seconds)
Executable:   /sbin/rpc.statd
Command Line: rpc.statd
PID:          4177 (Parent PID:4177)
Killed:       No

 

[nobaloney]

I just checked some servers. CentOS 5.x seems to install portmap. CentOS 6.x doesn't. I'd suggest you probably don't need it and can stop it. But you may want to figure out why it's running.

Jeff

 

[groomy]

I am looking at why
thank you

 

[Richard G]

Why?
It's because CSF reports processes it does not recognizes or which are not ignored by default.
You can uninstall portmap or add it to csf.pignore.
If you don't have use rpc, you could remove that too. I always remove everything which is not needed on a server or is not used for the way we use the servers and can be removed safely.

 

[groomy]

hi, thanks.. how to remove
Thanks