PDA

Ver la Versión Completa : lfd on xxxxxxx: Suspicious process running under user psaadm



barbaro
24/01/2010, 19:41
Alguien por favor que utilice el csf y sepa como parar esto,me llegan mas de 300 mail por hora asi

lfd on xxxxxxx: Suspicious process running under user psaadm
lfd on xxxxxxxxxxxxxx: Excessive resource usage: psaadm
lfd on xxxxxxxxxxxx: Suspicious File Alert

Gracias y un saludo

Power
25/01/2010, 00:13
Hola,

Es un tema tratado muchas veces en este foro.
Puedes utilizar la opción de Buscar.
Ejemplo: http://foros.ovh.es/showthread.php?t=5494

Saludos

barbaro
25/01/2010, 08:24
Gracias power,lo habia visto pero el caso es que no me ha resultado,lo tengo editado asi

exe:/usr/bin/sw-engine-cgi
exe:/opt/drweb/drwebd.real
exe:/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm

ya que la maroria de los mail son:

Time: Mon Jan 25 08:19:20 2010 +0100
PID: 1011
Account: psaadm
Uptime: 143215 seconds


Executable:

/usr/bin/sw-engine-cgi (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/bin/sw-engine-cgi -c /usr/local/psa/admin/conf/php.ini -d auto_prepend_file=auth.php3 -u psaadm


Network connections by the process (if any):



Files open by the process (if any):

/dev/null
/var/log/sw-cp-server/error_log
/tmp/.apc.uMAXlk (deleted)
/tmp/.apc.HI6K3E (deleted)
/tmp/.apc.gYIyLZ (deleted)
/tmp/.apc.VGCmtk (deleted)
/tmp/.apc.SEBabF (deleted)


Memory maps by the process (if any):

08045000-086ac000 r-xp 00000000 09:01 49820 /usr/bin/sw-engine-cgi (deleted)
086ac000-086d9000 rw-p 00667000 09:01 49820 /usr/bin/sw-engine-cgi (deleted)
086d9000-08954000 rw-p 00000000 00:00 0 [heap]
48434000-4844e000 r-xp 00000000 09:01 350945 /lib/ld-2.5.so
4844e000-4844f000 r--p 00019000 09:01 350945 /lib/ld-2.5.so
4844f000-48450000 rw-p 0001a000 09:01 350945 /lib/ld-2.5.so
48452000-48454000 r-xp 00000000 09:01 351665 /lib/libcom_err.so.2.1
48454000-48455000 rw-p 00001000 09:01 351665 /lib/libcom_err.so.2.1
48457000-48596000 r-xp 00000000 09:01 350946 /lib/libc-2.5.so
48596000-48597000 ---p 0013f000 09:01 350946 /lib/libc-2.5.so
48597000-48599000 r--p 0013f000 09:01 350946 /lib/libc-2.5.so
48599000-4859a000 rw-p 00141000 09:01 350946 /lib/libc-2.5.so
4859a000-4859d000 rw-p 00000000 00:00 0
4859f000-485a1000 r-xp 00000000 09:01 351637 /lib/libdl-2.5.so
485a1000-485a2000 r--p 00001000 09:01 351637 /lib/libdl-2.5.so
485a2000-485a3000 rw-p 00002000 09:01 351637 /lib/libdl-2.5.so
485a5000-485b9000 r-xp 00000000 09:01 351712 /lib/libpthread-2.5.so
485b9000-485ba000 r--p 00013000 09:01 351712 /lib/libpthread-2.5.so
485ba000-485bb000 rw-p 00014000 09:01 351712 /lib/libpthread-2.5.so
485bb000-485bd000 rw-p 00000000 00:00 0
485bf000-485fa000 r-xp 00000000 09:01 351657 /lib/libsepol.so.1
485fa000-485fb000 rw-p 0003b000 09:01 351657 /lib/libsepol.so.1
485fb000-48605000 rw-p 00000000 00:00 0
48607000-4862c000 r-xp 00000000 09:01 351705 /lib/libm-2.5.so
4862c000-4862d000 r--p 00024000 09:01 351705 /lib/libm-2.5.so
4862d000-4862e000 rw-p 00025000 09:01 351705 /lib/libm-2.5.so
48630000-48646000 r-xp 00000000 09:01 351660 /lib/libselinux.so.1
48646000-48648000 rw-p 00015000 09:01 351660 /lib/libselinux.so.1
4864a000-4865c000 r-xp 00000000 09:01 74336 /usr/lib/libz.so.1.2.3
4865c000-4865d000 rw-p 00011000 09:01 74336 /usr/lib/libz.so.1.2.3
4865f000-48668000 r-xp 00000000 09:01 351723 /lib/libcrypt-2.5.so
48668000-48669000 r--p 00008000 09:01 351723 /lib/libcrypt-2.5.so
48669000-4866a000 rw-p 00009000 09:01 351723 /lib/libcrypt-2.5.so
4866a000-48691000 rw-p 00000000 00:00 0
48693000-4869a000 r-xp 00000000 09:01 351715 /lib/librt-2.5.so
4869a000-4869b000 r--p 00006000 09:01 351715 /lib/librt-2.5.so
4869b000-4869c000 rw-p 00007000 09:01 351715 /lib/librt-2.5.so
4869e000-486ad000 r-xp 00000000 09:01 351652 /lib/libresolv-2.5.so
486ad000-486ae000 r--p 0000e000 09:01 351652 /lib/libresolv-2.5.so
486ae000-486af000 rw-p 0000f000 09:01 351652 /lib/libresolv-2.5.so
486af000-486b1000 rw-p 00000000 00:00 0
486b3000-486c6000 r-xp 00000000 09:01 351725 /lib/libnsl-2.5.so
486c6000-486c7000 r--p 00012000 09:01 351725 /lib/libnsl-2.5.so
486c7000-486c8000 rw-p 00013000 09:01 351725 /lib/libnsl-2.5.so
486c8000-486ca000 rw-p 00000000 00:00 0
486cc000-487f6000 r-xp 00000000 09:01 351681 /lib/libcrypto.so.0.9.8e
487f6000-48809000 rw-p 00129000 09:01 351681 /lib/libcrypto.so.0.9.8e
48809000-4880d000 rw-p 00000000 00:00 0
4880f000-48811000 r-xp 00000000 09:01 351649 /lib/libkeyutils-1.2.so
48811000-48812000 rw-p 00001000 09:01 351649 /lib/libkeyutils-1.2.so
48814000-48841000 r-xp 00000000 09:01 74028 /usr/lib/libgssapi_krb5.so.2.2
48841000-48842000 rw-p 0002d000 09:01 74028 /usr/lib/libgssapi_krb5.so.2.2
48844000-48869000 r-xp 00000000 09:01 74026 /usr/lib/libk5crypto.so.3.1
48869000-4886a000 rw-p 00025000 09:01 74026 /usr/lib/libk5crypto.so.3.1
4886c000-48874000 r-xp 00000000 09:01 74025 /usr/lib/libkrb5support.so.0.1
48874000-48875000 rw-p 00007000 09:01 74025 /usr/lib/libkrb5support.so.0.1
48877000-4890a000 r-xp 00000000 09:01 74027 /usr/lib/libkrb5.so.3.3
4890a000-4890d000 rw-p 00092000 09:01 74027 /usr/lib/libkrb5.so.3.3
4890f000-48952000 r-xp 00000000 09:01 351686 /lib/libssl.so.0.9.8e
48952000-48956000 rw-p 00042000 09:01 351686 /lib/libssl.so.0.9.8e
48958000-48963000 r-xp 00000000 09:01 351718 /lib/libgcc_s-4.1.2-20080825.so.1
48963000-48964000 rw-p 0000a000 09:01 351718 /lib/libgcc_s-4.1.2-20080825.so.1
48966000-4897f000 r-xp 00000000 09:01 351639 /lib/libaudit.so.0.0.0
4897f000-48981000 rw-p 00018000 09:01 351639 /lib/libaudit.so.0.0.0
48983000-48a63000 r-xp 00000000 09:01 74487 /usr/lib/libstdc++.so.6.0.8
48a63000-48a67000 r--p 000df000 09:01 74487 /usr/lib/libstdc++.so.6.0.8
48a67000-48a68000 rw-p 000e3000 09:01 74487 /usr/lib/libstdc++.so.6.0.8
48a68000-48a6e000 rw-p 00000000 00:00 0
48a70000-48a91000 r-xp 00000000 09:01 74747 /usr/lib/libjpeg.so.62.0.0
48a91000-48a92000 rw-p 00020000 09:01 74747 /usr/lib/libjpeg.so.62.0.0
48a94000-48a97000 r-xp 00000000 09:01 74676 /usr/lib/libgpg-error.so.0.3.0
48a97000-48a98000 rw-p 00002000 09:01 74676 /usr/lib/libgpg-error.so.0.3.0
48a9a000-48a9d000 r-xp 00000000 09:01 139441 /usr/lib/sw/libxmlrpc_server.so.3.6.10
48a9d000-48a9e000 rw-p 00003000 09:01 139441 /usr/lib/sw/libxmlrpc_server.so.3.6.10
48aa0000-48aa4000 r-xp 00000000 09:01 143198 /usr/lib/sw/libxmlrpc_cpp.so.3.06
48aa4000-48aa5000 rw-p 00004000 09:01 143198 /usr/lib/sw/libxmlrpc_cpp.so.3.06
48aa9000-48ab3000 r-xp 00000000 09:01 351645 /lib/libpam.so.0.81.5
48ab3000-48ab4000 rw-p 0000a000 09:01 351645 /lib/libpam.so.0.81.5
48ab6000-48ad5000 r-xp 00000000 09:01 74886 /usr/lib/libpq.so.4.1
48ad5000-48ad6000 rw-p 0001f000 09:01 74886 /usr/lib/libpq.so.4.1
48ad8000-48adb000 r-xp 00000000 09:01 350910 /lib/libuuid.so.1.2
48adb000-48adc000 rw-p 00003000 09:01 350910 /lib/libuuid.so.1.2
48ade000-48af2000 r-xp 00000000 09:01 139463 /usr/lib/sw/libxmlrpc_xmltok.so.3.6.10
48af2000-48af3000 rw-p 00014000 09:01 139463 /usr/lib/sw/libxmlrpc_xmltok.so.3.6.10
48af5000-48b04000 r-xp 00000000 09:01 74998 /usr/lib/libboost_filesystem.so.1.33.1
48b04000-48b05000 rw-p 0000e000 09:01 74998 /usr/lib/libboost_filesystem.so.1.33.1
48c70000-48ca0000 r-xp 00000000 09:01 74900 /usr/lib/libidn.so.11.5.19
48ca0000-48ca1000 rw-p 0002f000 09:01 74900 /usr/lib/libidn.so.11.5.19
48ca3000-48d20000 r-xp 00000000 09:01 74377 /usr/lib/libfreetype.so.6.3.10
48d20000-48d23000 rw-p 0007d000 09:01 74377 /usr/lib/libfreetype.so.6.3.10
48d25000-48d4a000 r-xp 00000000 09:01 74992 /usr/lib/libpng12.so.0.10.0
48d4a000-48d4b000 rw-p 00024000 09:01 74992 /usr/lib/libpng12.so.0.10.0

barbaro
25/01/2010, 08:25
continua el mail

48d4d000-48d58000 r-xp 00000000 09:01 143196 /usr/lib/sw/libxmlrpc.so.3.6.10
48d58000-48d59000 rw-p 0000a000 09:01 143196 /usr/lib/sw/libxmlrpc.so.3.6.10
48d5b000-48d8d000 r-xp 00000000 09:01 143193 /usr/lib/sw/libxslt.so.1.1.20
48d8d000-48d8e000 rw-p 00032000 09:01 143193 /usr/lib/sw/libxslt.so.1.1.20
48d90000-48d9b000 r-xp 00000000 09:01 143201 /usr/lib/sw/libxmlrpc_xmlparse.so.3.6.10
48d9b000-48d9c000 rw-p 0000a000 09:01 143201 /usr/lib/sw/libxmlrpc_xmlparse.so.3.6.10
48d9e000-48dae000 r-xp 00000000 09:01 140870 /usr/lib/sw/libexslt.so.0.8.13
48dae000-48daf000 rw-p 0000f000 09:01 140870 /usr/lib/sw/libexslt.so.0.8.13
48db1000-48db3000 r-xp 00000000 09:01 139460 /usr/lib/sw/libxmlrpc_util.so.3.6.10
48db3000-48db4000 rw-p 00001000 09:01 139460 /usr/lib/sw/libxmlrpc_util.so.3.6.10
48db6000-48dc4000 r-xp 00000000 09:01 75011 /usr/lib/libboost_date_time.so.1.33.1
48dc4000-48dc6000 rw-p 0000d000 09:01 75011 /usr/lib/libboost_date_time.so.1.33.1
48dd7000-48e12000 r-xp 00000000 09:01 74906 /usr/lib/libcurl.so.3.0.0
48e12000-48e13000 rw-p 0003b000 09:01 74906 /usr/lib/libcurl.so.3.0.0
48e15000-48e93000 r-xp 00000000 09:01 74934 /usr/lib/libgcrypt.so.11.5.2
48e93000-48e96000 rw-p 0007d000 09:01 74934 /usr/lib/libgcrypt.so.11.5.2
48e98000-48fa8000 r-xp 00000000 09:01 139457 /usr/lib/sw/libxml2.so.2.6.27
48fa8000-48fad000 rw-p 00110000 09:01 139457 /usr/lib/sw/libxml2.so.2.6.27
48fad000-48fae000 rw-p 00000000 00:00 0
48fb0000-4907e000 r-xp 00000000 09:01 74388 /usr/lib/libc-client.so.1
4907e000-49082000 rw-p 000ce000 09:01 74388 /usr/lib/libc-client.so.1
b4d00000-b4d01000 r--p 03419000 09:01 98414 /usr/lib/locale/locale-archive
b4d01000-b4f01000 r--p 00000000 09:01 98414 /usr/lib/locale/locale-archive
b4f01000-b7701000 rw-s 00000000 00:04 117633 /dev/zero (deleted)
b7701000-b770a000 r-xp 00000000 09:01 350921 /lib/libnss_files-2.5.so
b770a000-b770b000 r--p 00008000 09:01 350921 /lib/libnss_files-2.5.so
b770b000-b770c000 rw-p 00009000 09:01 350921 /lib/libnss_files-2.5.so
b7754000-b775c000 rw-p 00000000 00:00 0
b775c000-b787d000 r-xp 00000000 09:01 122684 /usr/lib/mysql/libmysqlclient.so.15.0.0.#prelink#.kRyz1r (deleted)
b787d000-b78bf000 rw-p 00120000 09:01 122684 /usr/lib/mysql/libmysqlclient.so.15.0.0.#prelink#.kRyz1r (deleted)
b78bf000-b78c3000 rw-p 00000000 00:00 0
b78c9000-b78ca000 rw-s 00000000 00:04 117628 /dev/zero (deleted)
b78ca000-b78cb000 rw-p 00000000 00:00 0
bfd42000-bfd57000 rw-p 00000000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]

Power
25/01/2010, 08:43
Hola,

Te está diciendo "The file system shows this process is running an executable file that has been deleted."

Eso ocurre cuando actualizas un programa, pero sigue arrancada una versión anterior.

Podrías parar ese proceso y después volver a arrancarlo (ya con la versión nueva).
(También valdría reiniciar el servidor)

Aunque creo que es un proceso de Plesk y yo de Plesk no tengo ni idea.
Antes de pararlo asegúrate de que por pararlo no te ocurrirá nada grave.

CSF tiene en su configuración la opción para que te chequee, o no, esos procesos antiguos en ejecución.

Saludos

chencho
25/01/2010, 10:55
Y si añades

user:psaadm

En lugar del proceso?