LFD suspicious process - dovecot

W

waitek

Verified User
Joined
Dec 8, 2011
Messages
5
lfd suddenly reporting frequent suspicious process issues involving dovecot--every 5-10 minutes. Always involves the same email logon. Wondering if the client email computer might have a virus. I've suspended the account and that's brought an end to the emails from lfd. Here's a sanitized report:

Time: Fri Sep 5 18:57:43 2014 -0700
PID: 29531 (Parent PID:1910)
Account: xxx
Uptime: 67 seconds


Executable:

/usr/libexec/dovecot/pop3


Command Line (often faked in exploits):

dovecot/pop3 [[email protected] 0.0.0.0]


Network connections by the process (if any):

tcp: 0.0.0.0:110 -> 0.0.0.0:8077


Files open by the process (if any):

/dev/null
/dev/null
anon_inode:[eventpoll]
/home/xxx/imap/m.com/m/Maildir/dovecot.index.log
/home/xxx/imap/m.com/m/Maildir/dovecot-uidlist


Memory maps by the process (if any):

00400000-0040a000 r-xp 00000000 09:02 11404737 /usr/libexec/dovecot/pop3
0060a000-0060b000 rw-p 0000a000 09:02 11404737 /usr/libexec/dovecot/pop3
01513000-0155d000 rw-p 00000000 00:00 0 [heap]
7fd577fd1000-7fd577fdd000 r-xp 00000000 09:02 4325737 /lib64/libnss_files-2.12.so
7fd577fdd000-7fd5781dd000 ---p 0000c000 09:02 4325737 /lib64/libnss_files-2.12.so
7fd5781dd000-7fd5781de000 r--p 0000c000 09:02 4325737 /lib64/libnss_files-2.12.so
7fd5781de000-7fd5781df000 rw-p 0000d000 09:02 4325737 /lib64/libnss_files-2.12.so
7fd5781df000-7fd5781f6000 r-xp 00000000 09:02 4325412 /lib64/libpthread-2.12.so
7fd5781f6000-7fd5783f6000 ---p 00017000 09:02 4325412 /lib64/libpthread-2.12.so
7fd5783f6000-7fd5783f7000 r--p 00017000 09:02 4325412 /lib64/libpthread-2.12.so
7fd5783f7000-7fd5783f8000 rw-p 00018000 09:02 4325412 /lib64/libpthread-2.12.so
7fd5783f8000-7fd5783fc000 rw-p 00000000 00:00 0
7fd5783fc000-7fd5784f7000 r-xp 00000000 09:02 11276332 /usr/local/lib/libiconv.so.2.5.1
7fd5784f7000-7fd5786f6000 ---p 000fb000 09:02 11276332 /usr/local/lib/libiconv.so.2.5.1
7fd5786f6000-7fd5786f8000 rw-p 000fa000 09:02 11276332 /usr/local/lib/libiconv.so.2.5.1
7fd5786f8000-7fd5786fa000 r-xp 00000000 09:02 4325416 /lib64/libdl-2.12.so
7fd5786fa000-7fd5788fa000 ---p 00002000 09:02 4325416 /lib64/libdl-2.12.so
7fd5788fa000-7fd5788fb000 r--p 00002000 09:02 4325416 /lib64/libdl-2.12.so
7fd5788fb000-7fd5788fc000 rw-p 00003000 09:02 4325416 /lib64/libdl-2.12.so
7fd5788fc000-7fd578903000 r-xp 00000000 09:02 4325743 /lib64/librt-2.12.so
7fd578903000-7fd578b02000 ---p 00007000 09:02 4325743 /lib64/librt-2.12.so
7fd578b02000-7fd578b03000 r--p 00006000 09:02 4325743 /lib64/librt-2.12.so
7fd578b03000-7fd578b04000 rw-p 00007000 09:02 4325743 /lib64/librt-2.12.so
7fd578b04000-7fd578c8d000 r-xp 00000000 09:02 4325388 /lib64/libc-2.12.so
7fd578c8d000-7fd578e8d000 ---p 00189000 09:02 4325388 /lib64/libc-2.12.so
7fd578e8d000-7fd578e91000 r--p 00189000 09:02 4325388 /lib64/libc-2.12.so
7fd578e91000-7fd578e92000 rw-p 0018d000 09:02 4325388 /lib64/libc-2.12.so
7fd578e92000-7fd578e97000 rw-p 00000000 00:00 0
7fd578e97000-7fd578f55000 r-xp 00000000 09:02 11276367 /usr/lib/dovecot/libdovecot.so.0.0.0
7fd578f55000-7fd579155000 ---p 000be000 09:02 11276367 /usr/lib/dovecot/libdovecot.so.0.0.0
7fd579155000-7fd579159000 rw-p 000be000 09:02 11276367 /usr/lib/dovecot/libdovecot.so.0.0.0
7fd579159000-7fd57915c000 rw-p 00000000 00:00 0
7fd57915c000-7fd579264000 r-xp 00000000 09:02 11275756 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
7fd579264000-7fd579464000 ---p 00108000 09:02 11275756 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
7fd579464000-7fd57946e000 rw-p 00108000 09:02 11275756 /usr/lib/dovecot/libdovecot-storage.so.0.0.0
7fd57946e000-7fd57948e000 r-xp 00000000 09:02 4325396 /lib64/ld-2.12.so
7fd579649000-7fd57967e000 rw-p 00000000 00:00 0
7fd579689000-7fd57968b000 r--s 00000000 09:02 25178428 /home/xxx/imap/m.com/m/Maildir/dovecot.index.log
7fd57968b000-7fd57968d000 rw-p 00000000 00:00 0
7fd57968d000-7fd57968e000 r--p 0001f000 09:02 4325396 /lib64/ld-2.12.so
7fd57968e000-7fd57968f000 rw-p 00020000 09:02 4325396 /lib64/ld-2.12.so
7fd57968f000-7fd579690000 rw-p 00000000 00:00 0
7fff1f726000-7fff1f73b000 rw-p 00000000 00:00 0 [stack]
7fff1f7ff000-7fff1f800000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
 
Hello,

Please fill /etc/csf/csf.pignore with:

Code: 
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/bin/freshclam
[FONT=Verdana]exe:/usr/libexec/dovecot/pop3
[/FONT][FONT=Verdana]exe:/usr/libexec/dovecot/imap
[/FONT][FONT=Verdana]exe:/usr/local/libexec/dovecot/pop3
[/FONT][FONT=Verdana]exe:/usr/local/libexec/dovecot/pop3-login
[/FONT][FONT=Verdana]exe:/usr/local/libexec/dovecot/imap[/FONT]
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/local/bin/freshclam
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/local/bin/clamd
exe:/usr/local/php53/sbin/php-fpm53
exe:/usr/local/php54/sbin/php-fpm54
exe:/usr/local/php55/sbin/php-fpm55
exe:/usr/local/php56/sbin/php-fpm56
exe:/usr/local/php53/bin/php-cgi53
exe:/usr/local/php54/bin/php-cgi54
exe:/usr/local/php55/bin/php-cgi55
exe:/usr/local/php56/bin/php-cgi56
exe:/usr/local/php53/bin/php53
exe:/usr/local/php54/bin/php54
exe:/usr/local/php55/bin/php55
exe:/usr/local/php56/bin/php56
exe:/usr/share/cagefs-skeleton/usr/selector/lsphp
exe:/usr/local/bin/lsphp
exe:/usr/local/php53/bin/php_uploadscan.sh
exe:/usr/local/php54/bin/php_uploadscan.sh
exe:/usr/local/php55/bin/php_uploadscan.sh
exe:/usr/local/php56/bin/php_uploadscan.sh
exe:/usr/sbin/pure-ftpd
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/selector/php
exe:/usr/selector/php-cli
exe:/usr/sbin/nginx


and restart lfd:

Code: 
/etc/init.d/lfd restart


taken from here: http://forum.directadmin.com/showthread.php?t=49424&highlight=lfd
 
I'd like to first understand what's going on before simply ignoring the messages. This server has been running for years with many email accounts, and this is the first time this has happened. There is something different going on that's linked to a single email account. Any thoughts?
 
You must log in or register to reply here.
Back
Top