• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Suspicious process running under user *** with xenforo index

#1
Hello,

I got 5 mails like this from csf , it seems like someone using my index.php in order to attack someone. How is this possible ?


Code:
ime:    Thu Aug 25 20:32:45 2016 +0300
PID:     601 (Parent PID:32722)
Account: *****
Uptime:  62 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/****/public_html/forums/index.php


Network connections by the process (if any):

tcp: myip -> somewebsiteip:80


Files open by the process (if any):



Memory maps by the process (if any):

00400000-0109e000 r-xp 00000000 fd:00 680102                             /usr/bin/php
0129e000-0136d000 rw-p 00c9e000 fd:00 680102                             /usr/bin/php
0136d000-01392000 rw-p 00000000 00:00 0
02536000-03608000 rw-p 00000000 00:00 0                                  [heap]

7fb453dac000-7fb453e48000 rw-p 00000000 00:00 0
7fb453e89000-7fb453f0b000 rw-p 00000000 00:00 0
7fb453f0b000-7fb454000000 r--s 00000000 fd:00 3672509                    /var/db/nscd/hosts
7fb454000000-7fb454021000 rw-p 00000000 00:00 0
7fb454021000-7fb458000000 ---p 00000000 00:00 0
7fb45801c000-7fb45805d000 rw-p 00000000 00:00 0
7fb45805d000-7fb458092000 r--s 00000000 fd:00 3672510                    /var/db/nscd/services
7fb458092000-7fb458093000 ---p 00000000 00:00 0
7fb458093000-7fb458a93000 rw-p 00000000 00:00 0
7fb458a93000-7fb458a9a000 r-xp 00000000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458a9a000-7fb458c99000 ---p 00007000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458c99000-7fb458c9a000 rw-p 00006000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458c9a000-7fb458d75000 r-xp 00000000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458d75000-7fb458f75000 ---p 000db000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458f75000-7fb458f79000 rw-p 000db000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458f79000-7fb458f90000 r-xp 00000000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb458f90000-7fb459190000 ---p 00017000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb459190000-7fb459193000 rw-p 00017000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb459193000-7fb4592a4000 r-xp 00000000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4592a4000-7fb4593a3000 ---p 00111000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4593a3000-7fb4593b3000 rw-p 00110000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4593b3000-7fb459551000 rw-p 00000000 00:00 0
7fb459551000-7fb459553000 r-xp 00000000 fd:00 2490385                    /lib64/libfreebl3.so
7fb459553000-7fb459752000 ---p 00002000 fd:00 2490385                    /lib64/libfreebl3.so
7fb459752000-7fb459753000 r--p 00001000 fd:00 2490385                    /lib64/libfreebl3.so
7fb459753000-7fb459754000 rw-p 00002000 fd:00 2490385                    /lib64/libfreebl3.so
7fb459754000-7fb459756000 rw-p 00000000 00:00 0
7fb459756000-7fb4598a6000 r-xp 00000000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
7fb4598a6000-7fb459aa5000 ---p 00150000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
7fb459aa5000-7fb459aaf000 rw-p 0014f000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
7fb459aaf000-7fb459ab0000 rw-p 00000000 00:00 0
7fb459ab0000-7fb459aec000 r-xp 00000000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
7fb459aec000-7fb459ceb000 ---p 0003c000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
7fb459ceb000-7fb459ced000 rw-p 0003b000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
7fb459ced000-7fb459cef000 rw-p 00000000 00:00 0
7fb459cef000-7fb459d4c000 r-xp 00000000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
7fb459d4c000-7fb459f4b000 ---p 0005d000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
7fb459f4b000-7fb459f4e000 rw-p 0005c000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
7fb459f4e000-7fb459f50000 rw-p 00000000 00:00 0
7fb459f50000-7fb459f92000 r-xp 00000000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
7fb459f92000-7fb45a192000 ---p 00042000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
7fb45a192000-7fb45a193000 rw-p 00042000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
7fb45a193000-7fb45a197000 rw-p 00000000 00:00 0
7fb45a197000-7fb45a1c1000 r-xp 00000000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a1c1000-7fb45a3c0000 ---p 0002a000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a3c0000-7fb45a3c4000 rw-p 00029000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a3c4000-7fb45a3c9000 rw-p 00000000 00:00 0
7fb45a3c9000-7fb45a6a3000 r-xp 00000000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
7fb45a6a3000-7fb45a8a2000 ---p 002da000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
7fb45a8a2000-7fb45a926000 rw-p 002d9000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
7fb45a926000-7fb45a92b000 rw-p 00000000 00:00 0
7fb45a92b000-7fb45a981000 r-xp 00000000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45a981000-7fb45ab81000 ---p 00056000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45ab81000-7fb45ab8a000 rw-p 00056000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45ab8a000-7fb45ab8c000 rw-p 00000000 00:00 0
7fb45ab8c000-7fb45ab9e000 r-xp 00000000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
7fb45ab9e000-7fb45ad9e000 ---p 00012000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
7fb45ad9e000-7fb45ad9f000 rw-p 00012000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
7fb45ad9f000-7fb45ada0000 rw-p 00000000 00:00 0
7fb45adad000-7fb45adae000 rw-p 00000000 00:00 0
7ffcdfd5e000-7ffcdfd73000 rw-p 00000000 00:00 0                          [stack]
7ffcdfd80000-7ffcdfd81000 r-xp 00000000 00:00 0                          [vdso]
I checked my ftp , there wasn't any changes.
I checked files from xenforo , there wasn't any change.
Any ideas ?
 
#3
What is the somewebsiteip? It's possible it's just a connection to Gravtar or something.

Liam
5.79.74.36
151.249.88.170

I don't think they are.

And I'm getting this in lfd logs ;


*Suspicious Process* PID:26430 PPID:26416 User:***** Uptime:118 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/****/public_html/forums/index.php