LFD alerts

[thomasdk81]

Hi,
I am pretty new to csf and lfd.
Lfd is sending me alerts several times a minute.

The log looks like this:

Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:10894 User:apache Uptime:187 secs EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:10895 User:apache Uptime:187 secs EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:11029 User:nobody Uptime:139 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:12126 User:nobody Uptime:124 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:12129 User:nobody Uptime:117 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:12134 User:nobody Uptime:115 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:12138 User:nobody Uptime:106 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:13447 User:mysql Uptime:522942 secs EXE:/usr/sbin/mysqld (deleted) CMD:/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --log-error=/var/lib/mysql/server5.infoland.dk.err --pid-file=/var/lib/mysql/server5.infoland.dk.pid --socket=/var/lib/mysql/mysql.sock --port=3306
Mar 16 16:46:31 server5 lfd[12228]: *Suspicious Process* PID:20099 User:nobody Uptime:95787 secs EXE:/usr/local/directadmin/directadmin CMD:/usr/local/directadmin/directadmin d
Mar 16 16:46:31 server5 lfd[12228]: *Excessive Processes* User:apache Kill:0 Process Count:19
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:8866 Kill:0 User:apache Time:3902 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:8872 Kill:0 User:apache Time:3880 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:10396 Kill:0 User:apache VM:201(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:5661 Kill:0 User:apache Time:5227 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:9159 Kill:0 User:dovecot Time:3513 EXE:/usr/libexec/dovecot/anvil CMD:dovecot/anvil [35 connections]
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:5642 Kill:0 User:apache VM:201(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:31 server5 lfd[12228]: *User Processing* PID:5642 Kill:0 User:apache Time:5236 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:5868 Kill:0 User:apache Time:4961 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:9822 Kill:0 User:apache VM:202(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:9822 Kill:0 User:apache Time:2952 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:8867 Kill:0 User:apache Time:3901 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:10573 Kill:0 User:apache VM:200(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:6208 Kill:0 User:apache VM:202(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:6208 Kill:0 User:apache Time:4706 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:10400 Kill:0 User:apache VM:200(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:2596 Kill:0 User:ntp Time:709498 EXE:/usr/sbin/ntpd CMD:ntpd -u ntp:ntp -p /var/run/ntpd.pid
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:6214 Kill:0 User:apache VM:202(MB) EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:6214 Kill:0 User:apache Time:4661 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:6045 Kill:0 User:apache Time:4855 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL
Mar 16 16:46:32 server5 lfd[12228]: *User Processing* PID:8868 Kill:0 User:apache Time:3901 EXE:/usr/sbin/httpd CMD:/usr/sbin/httpd -k start -DSSL

I just moved away from a server which were hacked, so I am not liking this.
Is it Suspicious or do I have to white list something?

Ps. I have installed mod_ruid2 today, but I dont see any difference in the behavior above.

 

[thomasdk81]

My pignore now looks like this:

exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/anvil
exe:/usr/sbin/httpd
exe:/usr/local/directadmin/directadmin
exe:/usr/local/directadmin/dataskq
exe:/usr/sbin/ntpd

 

[jojolafrite]

I had the same issue and what i have done the following:

I have copied the EXE lines from the /etc/csf/csf.directadmin.pignore to /etc/csf/csf.pignore

and the suspicious process logging stopped after restarting csf by doing csf -r

 

[jojolafrite]

I had the same issue and what i have done the following:

I have copied the EXE lines from the /etc/csf/csf.directadmin.pignore to /etc/csf/csf.pignore

and the suspicious process logging stopped after restarting csf by doing csf -r

Here is the list

exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/local/directadmin/directadmin
exe:/usr/local/directadmin/dataskq
exe:/usr/sbin/httpd
exe:/usr/bin/dbus-daemon
exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld
exe:/usr/libexec/dovecot/anvil
exe:/usr/sbin/ntpd
exe:/sbin/ntpd
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login

 

[zEitEr]

A full list for /etc/csf/csf.pignore might look as the following:

cmd:spamd child
exe:/bin/dbus-daemon
exe:/sbin/ntpd
exe:/usr/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
exe:/usr/bin/fetchmail
exe:/usr/bin/freshclam
exe:/usr/libexec/dovecot/anvil
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/managesieve
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/gam_server
exe:/usr/libexec/hald-addon-acpi
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/local/bin/clamd
exe:/usr/local/bin/freshclam
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/local/directadmin/dataskq
exe:/usr/local/directadmin/directadmin
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/mysql-5.1.54-linux-x86_64/bin/mysqld
exe:/usr/local/php53/bin/php53
exe:/usr/local/php53/bin/php-cgi53
exe:/usr/local/php53/bin/php_uploadscan.sh
exe:/usr/local/php53/sbin/php-fpm53
exe:/usr/local/php54/bin/php54
exe:/usr/local/php54/bin/php-cgi54
exe:/usr/local/php54/bin/php_uploadscan.sh
exe:/usr/local/php54/sbin/php-fpm54
exe:/usr/local/php55/bin/php55
exe:/usr/local/php55/bin/php-cgi55
exe:/usr/local/php55/bin/php_uploadscan.sh
exe:/usr/local/php55/sbin/php-fpm55
exe:/usr/local/php56/bin/php56
exe:/usr/local/php56/bin/php-cgi56
exe:/usr/local/php56/bin/php_uploadscan.sh
exe:/usr/local/php56/sbin/php-fpm56
exe:/usr/local/sbin/nginx
exe:/usr/sbin/exim
exe:/usr/sbin/hald
exe:/usr/sbin/httpd
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/sbin/named
exe:/usr/sbin/nginx
exe:/usr/sbin/ntpd
exe:/usr/sbin/proftpd
exe:/usr/sbin/pure-ftpd
exe:/usr/sbin/sshd

it includes list from here http://forum.directadmin.com/showthread.php?t=49424