Suspicious process running under user ftp

[enginaar]

Hello,

I've csf installed on all of my 4 server running CentOS 5.2. One of them continuously alerts me with the subject "Suspicious process running under user ftp". The mail entry is below.

I couldn't understand where the problem is. I installed the server yesterday and it's not used actively yet.

Time: Mon Apr 20 02:01:16 2009 +0300
PID: 23261
Account: ftp
Uptime: 108300 seconds


Executable:

/usr/sbin/proftpd\00o\00\n\t.sleb128 -92 (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

proftpd: (accepting connections)


Network connections by the process (if any):

tcp: 0.0.0.0:21 -> 0.0.0.0:0


Files open by the process (if any):

/etc/passwd (deleted)
/etc/group (deleted)


Memory maps by the process (if any):

002aa000-002b3000 r-xp 00000000 fd:00 7536680 /lib/libnss_files-2.5.so.#prelink#.JMBbr0 (deleted)
002b3000-002b4000 r-xp 00008000 fd:00 7536680 /lib/libnss_files-2.5.so.#prelink#.JMBbr0 (deleted)
002b4000-002b5000 rwxp 00009000 fd:00 7536680 /lib/libnss_files-2.5.so.#prelink#.JMBbr0 (deleted)
003be000-004fc000 r-xp 00000000 fd:00 7536664 /lib/libc-2.5.so
004fc000-004fe000 r-xp 0013e000 fd:00 7536664 /lib/libc-2.5.so
004fe000-004ff000 rwxp 00140000 fd:00 7536664 /lib/libc-2.5.so
004ff000-00502000 rwxp 004ff000 00:00 0
005d6000-005df000 r-xp 00000000 fd:00 7536668 /lib/libcrypt-2.5.so
005df000-005e0000 r-xp 00008000 fd:00 7536668 /lib/libcrypt-2.5.so
005e0000-005e1000 rwxp 00009000 fd:00 7536668 /lib/libcrypt-2.5.so
005e1000-00608000 rwxp 005e1000 00:00 0
00f66000-00f67000 r-xp 00f66000 00:00 0 [vdso]
00f9e000-00fb8000 r-xp 00000000 fd:00 7536657 /lib/ld-2.5.so
00fb8000-00fb9000 r-xp 00019000 fd:00 7536657 /lib/ld-2.5.so
00fb9000-00fba000 rwxp 0001a000 fd:00 7536657 /lib/ld-2.5.so
08048000-080be000 r-xp 00000000 fd:00 29132835 /usr/sbin/proftpd
080be000-080c5000 rw-p 00076000 fd:00 29132835 /usr/sbin/proftpd
080c5000-080d0000 rw-p 080c5000 00:00 0 0936d000-093af000 rw-p 0936d000 00:00 0 b7ff1000-b7ff3000 rw-p b7ff1000 00:00 0 b7ff8000-b7ffa000 rw-p b7ff8000 00:00 0
bf942000-bf957000 rw-p bf942000 00:00 0 [stack]

 

[tillo]

You should add the line "exe:/usr/sbin/proftpd" in /etc/csf/csf.pignore.

 

[enginaar]

It's already in /etc/csf/csf.pignore

 

[tillo]

Well, I guess it's because CSF doesn't get the correct name for the binary and thinks that it was deleted after being runned.
Unfortunately I have no idea of why this happens, the null byte (\00) should mean "end of string" for that line... you may want to write a bug report to the CSF author.

It happened (differently) for a library too, libnss_files, which I see it has been prelinked... do you run a custom prelinking service on that server, or is it included with CentOS?

You can also try restarting the ProFTPD service with "/etc/init.d/proftpd restart", maybe it really was deleted/upgraded...

 

[enginaar]

I checked proftp and see nothing wrong i think. I've disabled process checking nothing else I could do.

 

[CrazyLane]

This can happen because of an update, it could have been proftp or something related.

I just restart the service and restart lfd and all is well.

Peace..