LFD: suspicious process running onder user admin

Mattie · Apr 27, 2017

Hi guys, my LFD (yeah I know it is not from DA, but hey you guys know everything

) is reporting this the last week. I rebooted my server to stop the emails as there was no "Perl" process running for the admin user. However it comes back after a couple of days. Any ideas here what this might be?

Code:

Time:*** Thu Apr 27 12:42:57 2017 +0200
PID:**** 22509 (Parent PID:22509)
Account: admin
Uptime:* 86 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

bash


Network connections by the process (if any):

tcp: 0.0.0.0:23213 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

00400000-00402000 r-xp 00000000 fe:01 3408219*************************** /usr/bin/perl
00601000-00602000 r--p 00001000 fe:01 3408219*************************** /usr/bin/perl
00602000-00603000 rw-p 00002000 fe:01 3408219*************************** /usr/bin/perl
02355000-027e3000 rw-p 00000000 00:00 0********************************* [heap]
027e3000-02804000 rw-p 00000000 00:00 0********************************* [heap]
02804000-02825000 rw-p 00000000 00:00 0********************************* [heap]
02825000-02846000 rw-p 00000000 00:00 0********************************* [heap]
02846000-02867000 rw-p 00000000 00:00 0********************************* [heap]
02867000-02888000 rw-p 00000000 00:00 0********************************* [heap]
02888000-028a9000 rw-p 00000000 00:00 0********************************* [heap]
028a9000-028ca000 rw-p 00000000 00:00 0********************************* [heap]
7f66a69d5000-7f66a69db000 r-xp 00000000 fe:01 69************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/File/Glob/Glob.so
7f66a69db000-7f66a6bda000 ---p 00006000 fe:01 69************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/File/Glob/Glob.so
7f66a6bda000-7f66a6bdb000 r--p 00005000 fe:01 69************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/File/Glob/Glob.so
7f66a6bdb000-7f66a6bdc000 rw-p 00006000 fe:01 69************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/File/Glob/Glob.so
7f66a6bdc000-7f66a6bef000 r-xp 00000000 fe:01 81************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/POSIX/POSIX.so
7f66a6bef000-7f66a6dee000 ---p 00013000 fe:01 81************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/POSIX/POSIX.so
7f66a6dee000-7f66a6df1000 r--p 00012000 fe:01 81************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/POSIX/POSIX.so
7f66a6df1000-7f66a6df2000 rw-p 00015000 fe:01 81************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/POSIX/POSIX.so
7f66a6df2000-7f66a6df5000 r-xp 00000000 fe:01 77************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Fcntl/Fcntl.so
7f66a6df5000-7f66a6ff5000 ---p 00003000 fe:01 77************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Fcntl/Fcntl.so
7f66a6ff5000-7f66a6ff6000 r--p 00003000 fe:01 77************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Fcntl/Fcntl.so
7f66a6ff6000-7f66a6ff7000 rw-p 00004000 fe:01 77************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Fcntl/Fcntl.so
7f66a6ff7000-7f66a6fff000 r-xp 00000000 fe:01 80************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Socket/Socket.so
7f66a6fff000-7f66a71ff000 ---p 00008000 fe:01 80************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Socket/Socket.so
7f66a71ff000-7f66a7201000 r--p 00008000 fe:01 80************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Socket/Socket.so
7f66a7201000-7f66a7202000 rw-p 0000a000 fe:01 80************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/Socket/Socket.so
7f66a7202000-7f66a7206000 r-xp 00000000 fe:01 82************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/IO/IO.so
7f66a7206000-7f66a7405000 ---p 00004000 fe:01 82************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/IO/IO.so
7f66a7405000-7f66a7406000 r--p 00003000 fe:01 82************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/IO/IO.so
7f66a7406000-7f66a7407000 rw-p 00004000 fe:01 82************************ /usr/lib/x86_64-linux-gnu/perl/5.20.2/auto/IO/IO.so
7f66a7407000-7f66a740f000 r-xp 00000000 fe:01 1443287******************* /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f66a740f000-7f66a760e000 ---p 00008000 fe:01 1443287******************* /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f66a760e000-7f66a760f000 r--p 00007000 fe:01 1443287******************* /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f66a760f000-7f66a7610000 rw-p 00008000 fe:01 1443287******************* /lib/x86_64-linux-gnu/libcrypt-2.19.so
7f66a7610000-7f66a763e000 rw-p 00000000 00:00 0 
7f66a763e000-7f66a77df000 r-xp 00000000 fe:01 1443285******************* /lib/x86_64-linux-gnu/libc-2.19.so
7f66a77df000-7f66a79df000 ---p 001a1000 fe:01 1443285******************* /lib/x86_64-linux-gnu/libc-2.19.so
7f66a79df000-7f66a79e3000 r--p 001a1000 fe:01 1443285******************* /lib/x86_64-linux-gnu/libc-2.19.so
7f66a79e3000-7f66a79e5000 rw-p 001a5000 fe:01 1443285******************* /lib/x86_64-linux-gnu/libc-2.19.so
7f66a79e5000-7f66a79e9000 rw-p 00000000 00:00 0 
7f66a79e9000-7f66a7a01000 r-xp 00000000 fe:01 1443281******************* /lib/x86_64-linux-gnu/libpthread-2.19.so
7f66a7a01000-7f66a7c00000 ---p 00018000 fe:01 1443281******************* /lib/x86_64-linux-gnu/libpthread-2.19.so
7f66a7c00000-7f66a7c01000 r--p 00017000 fe:01 1443281******************* /lib/x86_64-linux-gnu/libpthread-2.19.so
7f66a7c01000-7f66a7c02000 rw-p 00018000 fe:01 1443281******************* /lib/x86_64-linux-gnu/libpthread-2.19.so
7f66a7c02000-7f66a7c06000 rw-p 00000000 00:00 0 
7f66a7c06000-7f66a7d06000 r-xp 00000000 fe:01 1443289******************* /lib/x86_64-linux-gnu/libm-2.19.so
7f66a7d06000-7f66a7f05000 ---p 00100000 fe:01 1443289******************* /lib/x86_64-linux-gnu/libm-2.19.so
7f66a7f05000-7f66a7f06000 r--p 000ff000 fe:01 1443289******************* /lib/x86_64-linux-gnu/libm-2.19.so
7f66a7f06000-7f66a7f07000 rw-p 00100000 fe:01 1443289******************* /lib/x86_64-linux-gnu/libm-2.19.so
7f66a7f07000-7f66a7f0a000 r-xp 00000000 fe:01 1443288******************* /lib/x86_64-linux-gnu/libdl-2.19.so
7f66a7f0a000-7f66a8109000 ---p 00003000 fe:01 1443288******************* /lib/x86_64-linux-gnu/libdl-2.19.so
7f66a8109000-7f66a810a000 r--p 00002000 fe:01 1443288******************* /lib/x86_64-linux-gnu/libdl-2.19.so
7f66a810a000-7f66a810b000 rw-p 00003000 fe:01 1443288******************* /lib/x86_64-linux-gnu/libdl-2.19.so
7f66a810b000-7f66a82c2000 r-xp 00000000 fe:01 3542473******************* /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2
7f66a82c2000-7f66a84c2000 ---p 001b7000 fe:01 3542473******************* /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2
7f66a84c2000-7f66a84c7000 r--p 001b7000 fe:01 3542473******************* /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2
7f66a84c7000-7f66a84cc000 rw-p 001bc000 fe:01 3542473******************* /usr/lib/x86_64-linux-gnu/libperl.so.5.20.2
7f66a84cc000-7f66a84ec000 r-xp 00000000 fe:01 1443282******************* /lib/x86_64-linux-gnu/ld-2.19.so
7f66a86db000-7f66a86e0000 rw-p 00000000 00:00 0 
7f66a86ea000-7f66a86ec000 rw-p 00000000 00:00 0 
7f66a86ec000-7f66a86ed000 r--p 00020000 fe:01 1443282******************* /lib/x86_64-linux-gnu/ld-2.19.so
7f66a86ed000-7f66a86ee000 rw-p 00021000 fe:01 1443282******************* /lib/x86_64-linux-gnu/ld-2.19.so
7f66a86ee000-7f66a86ef000 rw-p 00000000 00:00 0 
7ffc8502a000-7ffc8504b000 rw-p 00000000 00:00 0************************* [stack]
7ffc8519d000-7ffc8519f000 r-xp 00000000 00:00 0************************* [vdso]
7ffc8519f000-7ffc851a1000 r--p 00000000 00:00 0************************* [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0***************** [vsyscall]

24x7server · Apr 27, 2017

You can simply disable Lfd alerts for admin account to fix this issue.

Mattie · Apr 27, 2017

Yes I understand but I want to be sure this doesnt indicate a problem as I don't understand the nature of this message.

Richard G · Apr 27, 2017

I wouldn't disable LFD alert for admin, because you wouldn't see when the admin account has a real issue, not very wise imho. Unless you don't use the admin account also for a domain website.

@Mattie:
I got the feeling you did not install CSF/LFD with ./install_directadmin.sh? If yes, this would be blocked by default.
You can disable it in csf.pignore:
exe:/usr/bin/perl

There are a lot more of those in there. If you did not do the above, you might consider doing it. It also set settings like ports to open for DA and such.

The reaon for perl working? Can be a number of things, maybe a DA tally, I don't know.

Mattie · Apr 27, 2017

Hi Richard,

Well, CSF/LFD is running for a couple of months on my current vps and just recently it started with these emails. I always look into this to make sure my system is not compromised, however I can't find anything so it seems to be fine.

Now that I am looking into the pidignore file I don't see perl listed there, however I dit recently added a new item. Just for the fun of things I've disabled it for now to see if that last entry somehow results in the other mails coming through.

Mattie · Apr 27, 2017

I now have an email containing an IP:

Code:

Network connections by the process (if any):

tcp: 91.218.127.50:51257 -> 77.72.83.83:83


Files open by the process (if any):

According to this site it is an IP in Russia (https://whoisip.ovh/77.72.82.83) still not sure on if I should ignore these messages or not.

Mattie · Apr 27, 2017

Another update:

Code:

fcntl(40, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(40, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [21 38 40 51 52 58 59 65 77 83 85 86 88 92 107 123 140 141], NULL, {0, 0}) = 5 (out [21 77 86 107 140], left {0, 0})
write(140, "HELO vps.myserverhostname.nl\r\n", 28) = 28
write(107, "Subject: Incoming voicemessage -"..., 2328) = 2328
write(86, "Subject: New voicemail: 5:40PM\r\n"..., 2320) = 2320
write(77, "HELO vps.myserverhostname.nl\r\n", 28) = 28
write(21, "Subject: Incoming voice mail - 5"..., 2288) = 2288
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 39 41 42 43 44 45 46 47 48 49 50 53 54 55 57 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 121 122 124 125 126 128 129 130 131 132 133 134 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 6 (in [20 29 80 97 121 143], left {0, 0})
read(143, "220 alph163.prodigy.net ESMTP Se"..., 16384) = 100
recvfrom(121, "-Z\201\5\0\1\0\0\0\0\0\0\2mx\2bt\4lon5\7cpcloud\2"..., 512, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("200.76.49.8")}, [16]) = 42
close(121)                              = 0
read(97, "354 Start mail input; end with <"..., 16384) = 46
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2923, ...}) = 0
read(80, "250 rgin04.bt.ext.cpcloud.co.uk\r"..., 16384) = 33
read(29, "250 2.1.5 OK y4si3067882pff.312 "..., 16384) = 41
read(20, "250 SPF validation soft failure\r"..., 16384) = 33
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 56
ioctl(56, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(56, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(56, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(56, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(56, F_SETFD, FD_CLOEXEC)          = 0
fcntl(56, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(56, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(56, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [20 29 38 40 51 52 56 58 59 65 80 83 85 88 92 97 123 141 143], NULL, {0, 0}) = 5 (out [20 29 80 97 143], left {0, 0})
write(143, "HELO vps.myserverhostname.nl\r\n", 28) = 28
write(97, "Subject: Incoming voice message "..., 2287) = 2287
write(80, "MAIL FROM: <hamburg.schach@mudja"..., 44) = 44
write(29, "DATA\r\n", 6)                = 6
write(20, "RCPT TO: <[email protected]"..., 36) = 36
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 39 41 42 43 44 45 46 47 48 49 50 53 54 55 57 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 134 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 1 (in [25], left {0, 0})
read(25, "220 alph129.prodigy.net ESMTP Se"..., 16384) = 100
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 73
ioctl(73, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(73, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(73, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(73, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(73, F_SETFD, FD_CLOEXEC)          = 0
fcntl(73, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(73, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(73, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [25 38 40 51 52 56 58 59 65 73 83 85 88 92 123 141], NULL, {0, 0}) = 1 (out [25], left {0, 0})
write(25, "HELO vps.myserverhostname.nl\r\n", 28) = 28
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 39 41 42 43 44 45 46 47 48 49 50 53 54 55 57 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 134 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 0 (Timeout)
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 82
ioctl(82, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(82, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(82, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(82, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(82, F_SETFD, FD_CLOEXEC)          = 0
fcntl(82, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(82, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(82, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [38 40 51 52 56 58 59 65 73 82 83 85 88 92 123 141], NULL, {0, 0}) = 0 (Timeout)
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 39 41 42 43 44 45 46 47 48 49 50 53 54 55 57 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 134 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 3 (in [47 96 134], left {0, 0})
read(134, "421 PR(ct1) (SNT004-MC10F17) Unf"..., 16384) = 258
close(134)                              = 0
read(96, "250  <eFE5Cd159.81Aa29b7CC1f5Fc9"..., 16384) = 77
read(47, "421 4.7.1 : (DYN:T1) https://pos"..., 16384) = 70
close(47)                               = 0
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 47
ioctl(47, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(47, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(47, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(47, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(47, F_SETFD, FD_CLOEXEC)          = 0
fcntl(47, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(47, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(47, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [38 40 47 51 52 56 58 59 65 73 82 83 85 88 92 96 123 141], NULL, {0, 0}) = 2 (out [59 96], left {0, 0})
write(96, "QUIT\r\n", 6)                = 6
getpeername(59, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("209.86.93.226")}, [16]) = 0
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 39 41 42 43 44 45 46 48 49 50 53 54 55 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 2 (in [110 125], left {0, 0})
read(125, "250 mta1316.mail.gq1.yahoo.com\r\n", 16384) = 32
read(110, "250 [email protected] \r\n", 16384) = 29
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 115
ioctl(115, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(115, 0, SEEK_CUR)                 = -1 ESPIPE (Illegal seek)
ioctl(115, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(115, 0, SEEK_CUR)                 = -1 ESPIPE (Illegal seek)
fcntl(115, F_SETFD, FD_CLOEXEC)         = 0
fcntl(115, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl(115, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(115, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [38 40 47 51 52 56 58 65 73 82 83 85 88 92 110 115 123 125 141], NULL, {0, 0}) = 3 (out [38 110 125], left {0, 0})
write(125, "MAIL FROM: <[email protected]>\r"..., 33) = 33
write(110, "DATA\r\n", 6)               = 6
getpeername(38, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("209.86.93.226")}, [16]) = 0
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 48 49 50 53 54 55 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 80 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 4 (in [35 43 78 80], left {0, 0})
read(80, "550 Message rejected for policy "..., 16384) = 195
close(80)                               = 0
read(78, "250 Requested mail action okay, "..., 16384) = 43
read(43, "250 Requested mail action okay, "..., 16384) = 43
read(35, "354  Go ahead e3si2996699plk.205"..., 16384) = 42
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2923, ...}) = 0
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 80
ioctl(80, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(80, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(80, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(80, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(80, F_SETFD, FD_CLOEXEC)          = 0
fcntl(80, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(80, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(80, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [35 40 43 47 51 52 56 58 65 73 78 80 82 83 85 88 92 115 123 141], NULL, {0, 0}) = 3 (out [35 43 78], left {0, 0})
write(78, "RCPT TO: <[email protected]>\r\n", 29) = 29
write(43, "RCPT TO: <[email protected]>\r"..., 33) = 33
write(35, "Subject: Incoming voicemail 5:40"..., 2270) = 2270
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 48 49 50 53 54 55 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 3 (in [13 50 91], left {0, 0})
read(91, "250 [email protected]"..., 16384) = 41
read(50, "250 alph141.prodigy.net Hello vp"..., 16384) = 90
read(13, "250 2.0.0 MAIL FROM accepted\r\n", 16384) = 30
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 121
ioctl(121, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(121, 0, SEEK_CUR)                 = -1 ESPIPE (Illegal seek)
ioctl(121, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(121, 0, SEEK_CUR)                 = -1 ESPIPE (Illegal seek)
fcntl(121, F_SETFD, FD_CLOEXEC)         = 0
fcntl(121, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl(121, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(121, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [13 40 47 50 51 52 56 58 65 73 80 82 83 85 88 91 92 115 121 123 141], NULL, {0, 0}) = 4 (out [13 50 51 91], left {0, 0})
write(91, "RCPT TO: <[email protected]>\r\n", 32) = 32
getpeername(51, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("209.86.93.226")}, [16]) = 0
write(50, "MAIL FROM: <consolio_1997@meltze"..., 45) = 45
write(13, "RCPT TO: <[email protected]>\r\n", 30) = 30
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 48 49 50 51 53 54 55 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 4 (in [16 46 55 128], left {0, 0})
read(128, "250 mta1336.mail.gq1.yahoo.com\r\n", 16384) = 32
read(55, "550 5.1.1 unknown or illegal ali"..., 16384) = 60
close(55)                               = 0
read(46, "250 mail108.syd.optusnet.com.au\r"..., 16384) = 33
read(16, "550 5.1.1 unknown or illegal ali"..., 16384) = 56
close(16)                               = 0
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 16
ioctl(16, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(16, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(16, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(16, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(16, F_SETFD, FD_CLOEXEC)          = 0
fcntl(16, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(16, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(16, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [16 40 46 47 52 56 58 65 73 80 82 83 85 88 92 115 121 123 128 141], NULL, {0, 0}) = 3 (out [46 52 128], left {0, 0})
write(128, "MAIL FROM: <[email protected]>\r\n", 28) = 28
getpeername(52, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("209.86.93.226")}, [16]) = 0
write(46, "MAIL FROM: <[email protected]>"..., 34) = 34
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 48 49 50 51 52 53 54 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 157 158], NULL, NULL, {0, 0}) = 6 (in [30 42 43 99 133 157], left {0, 0})
read(157, "421 PR(ct1) (SNT004-MC10F20) Unf"..., 16384) = 258
close(157)                              = 0
read(133, "250 SNT004-MC10F7.hotmail.com (3"..., 16384) = 66
read(99, "250 mta1341.mail.gq1.yahoo.com\r\n", 16384) = 32
read(43, "550 Requested action not taken: "..., 16384) = 53
close(43)                               = 0
read(42, "250 SNT004-MC10F7.hotmail.com (3"..., 16384) = 66
read(30, "354 Start mail input; end with <"..., 16384) = 46
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2923, ...}) = 0
select(0, NULL, NULL, NULL, {0, 10000}) = 0 (Timeout)
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 43
ioctl(43, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(43, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
ioctl(43, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x7ffc85049140) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(43, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
fcntl(43, F_SETFD, FD_CLOEXEC)          = 0
fcntl(43, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(43, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
connect(43, {sa_family=AF_INET, sin_port=htons(25), sin_addr=inet_addr("98.136.217.203")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(176, NULL, [16 30 40 42 43 47 56 58 65 73 80 82 83 85 88 92 99 115 121 123 133 141], NULL, {0, 0}) = 4 (out [30 42 99 133], left {0, 0})
write(133, "MAIL FROM: <[email protected]>"..., 34) = 34
write(99, "MAIL FROM: <[email protected]>\r\n", 27) = 27
write(42, "MAIL FROM: <hamburg.schach@mudja"..., 44) = 44
write(30, "Subject: Incoming voice message,"..., 2304) = 2304
select(176, [3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 41 42 44 45 46 48 49 50 51 52 53 54 57 59 60 61 62 63 64 66 67 68 69 70 71 72 74 75 76 77 78 79 81 84 86 87 89 90 91 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 116 117 118 119 120 122 124 125 126 128 129 130 131 132 133 135 136 137 138 139 140 142 143 144 145 146 147 148 158], NULL, NULL, {0, 0}) = 4 (in [28 31 103 140], left {0, 0})
read(140, "250 alph167.prodigy.net Hello vp"..., 16384) = 90

I unblocked the IP (well, I disabled CSF) and I traced the PID it was complaining about and above you can see a small piece of the trace. As you can see that process is definitely trying to send email, NOT requested by me so somewhere my system is compromised.

So, I will start by changing the admin password and then I will investigate this. But disabling the alerts does not seem the correct way to solve this.

zEitEr · Apr 27, 2017

Well, in a normal situation there is no legit process on Directadmin server which would try to send emails in behalf of admin user. Neither Directadmin nor Exim opens connection as admin user. Usually it's user mail which opens connections to remote SMTP servers. So that is most likely malware, unless you opens sockets for sending emails in scripts with cron or under document_root of admin user.

Running

# cat /proc/PID/environ
# cat /proc/PID/cmdline

might give some clues.

And I'd rather not add admin user as trusted if you host web-sites under this account. I'd rather do even more - enable SMTP_BLOCK="1" in CSF.

Mattie · Apr 27, 2017

Thanks for your reply, and I agree. It looks like an infection. The smtp block has been enabled and i'm running a scan at the moment. Thanks for the other suggestions. I will look into them . I also checked the http access log but I cannot find any reference to that IP.

I will update when I know more.

Richard G · Apr 27, 2017

Just for your information:

Now that I am looking into the pidignore file

It's not pidignore, csf.pignore stands for "process ignore".

Looks indeed as if you are infected or something.
Also try to see if some other mail server is running or something.

Code:

lsof -i :25

Mattie · Apr 28, 2017

Hi Richard,

Yeah thanks I said it wrong. At the moment only my exim is listening on port 25.

I changed the password back to the old password and unblocked the IP, why? Well I want to know WHAT is infected. I'm running maldet but that does not seem to find anything (yet)

Code:

maldet(11216): {scan} building file list for /, this might take awhile...
maldet(11216): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(11216): {scan} file list completed in 15s, found 265001 files...
maldet(11216): {scan} scan of / (265001 files) in progress...
maldet(11216): {scan} 20977/265001 files scanned: 0 hits 0 cleaned

I'm hoping that with zEitEr's tips I can at least trace what is going on.

Mattie · Apr 29, 2017

So far maldet has not find anything (except some emails mostly in straks/spam folders) that could be relevant in my opinion. I did not see the 'hack' happen again so far.

I'm now running clamav just to be sure.

Richard G · Apr 29, 2017

Well, that's good news. Let's hope it stays that way.

zEitEr · May 2, 2017

For more accurate (and paranoid) search I'd suggest using antivirus bases from Malware.Experts. They have posted a thread on these forums advertising their own set of bases, which are absolutely free. So you need to add them into ClamAV and run maldet to scan a desired folder with -a flag in order to scan all existing files independently on mtime/ctime.

By the way:

Code:

[COLOR=#333333]tcp: 91.218.127.50:51257 -> 77.72.83.83:83

[/COLOR]does not show any activity on 25 port. They accept connections to 77.72.83.83:83. So it might be a control center from which infected server get instructions for further actions. So your server connects to it, receives instructions and starts spamming other addresses.

That's only my guess, I don't say that's your exactly case. At least this is what I would check if I were in your shoes.

Mattie · May 3, 2017

Thanks for the suggestion, I will do that. So far the only stuff it found are emails (that cannot be used) and infected files in an already suspended account, so perhaps that but I'm not sure.

I did not noticed the problem again so far.

And yes you are true that connection doesn't do anything to port 25 but in the trace I did see references to email so my guess is that they somehow got a shell and where simply using cli commands to send email.

I will report back when I know more.

Mattie · May 9, 2017

Another update, the Malware.Experts list didn't find anything either. Could be I've removed it already or it was something else. But anyway, I did not find anything suspicious since then (I did change the password). So I guess that this is it for now.

Thanks all for your help!

LFD: suspicious process running onder user admin

Mattie

Verified User

24x7server

Verified User

Mattie

Verified User

Richard G

Verified User

Mattie

Verified User

Mattie

Verified User

Mattie

Verified User

zEitEr

Super Moderator

Mattie

Verified User

Richard G

Verified User

Mattie

Verified User

Mattie

Verified User

Richard G

Verified User

zEitEr

Super Moderator

Mattie

Verified User

Mattie

Verified User