Rimesia
Member
Hello,
I got 5 mails like this from csf , it seems like someone using my index.php in order to attack someone. How is this possible ?
I checked my ftp , there wasn't any changes.
I checked files from xenforo , there wasn't any change.
Any ideas ?
I got 5 mails like this from csf , it seems like someone using my index.php in order to attack someone. How is this possible ?
Code:
ime: Thu Aug 25 20:32:45 2016 +0300
PID: 601 (Parent PID:32722)
Account: *****
Uptime: 62 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php /home/****/public_html/forums/index.php
Network connections by the process (if any):
tcp: myip -> somewebsiteip:80
Files open by the process (if any):
Memory maps by the process (if any):
00400000-0109e000 r-xp 00000000 fd:00 680102 /usr/bin/php
0129e000-0136d000 rw-p 00c9e000 fd:00 680102 /usr/bin/php
0136d000-01392000 rw-p 00000000 00:00 0
02536000-03608000 rw-p 00000000 00:00 0 [heap]
7fb453dac000-7fb453e48000 rw-p 00000000 00:00 0
7fb453e89000-7fb453f0b000 rw-p 00000000 00:00 0
7fb453f0b000-7fb454000000 r--s 00000000 fd:00 3672509 /var/db/nscd/hosts
7fb454000000-7fb454021000 rw-p 00000000 00:00 0
7fb454021000-7fb458000000 ---p 00000000 00:00 0
7fb45801c000-7fb45805d000 rw-p 00000000 00:00 0
7fb45805d000-7fb458092000 r--s 00000000 fd:00 3672510 /var/db/nscd/services
7fb458092000-7fb458093000 ---p 00000000 00:00 0
7fb458093000-7fb458a93000 rw-p 00000000 00:00 0
7fb458a93000-7fb458a9a000 r-xp 00000000 fd:00 680091 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458a9a000-7fb458c99000 ---p 00007000 fd:00 680091 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458c99000-7fb458c9a000 rw-p 00006000 fd:00 680091 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
7fb458c9a000-7fb458d75000 r-xp 00000000 fd:00 680095 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458d75000-7fb458f75000 ---p 000db000 fd:00 680095 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458f75000-7fb458f79000 rw-p 000db000 fd:00 680095 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
7fb458f79000-7fb458f90000 r-xp 00000000 fd:00 663712 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb458f90000-7fb459190000 ---p 00017000 fd:00 663712 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb459190000-7fb459193000 rw-p 00017000 fd:00 663712 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
7fb459193000-7fb4592a4000 r-xp 00000000 fd:00 678086 /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4592a4000-7fb4593a3000 ---p 00111000 fd:00 678086 /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4593a3000-7fb4593b3000 rw-p 00110000 fd:00 678086 /usr/local/IonCube/ioncube_loader_lin_5.4.so
7fb4593b3000-7fb459551000 rw-p 00000000 00:00 0
7fb459551000-7fb459553000 r-xp 00000000 fd:00 2490385 /lib64/libfreebl3.so
7fb459553000-7fb459752000 ---p 00002000 fd:00 2490385 /lib64/libfreebl3.so
7fb459752000-7fb459753000 r--p 00001000 fd:00 2490385 /lib64/libfreebl3.so
7fb459753000-7fb459754000 rw-p 00002000 fd:00 2490385 /lib64/libfreebl3.so
7fb459754000-7fb459756000 rw-p 00000000 00:00 0
7fb459756000-7fb4598a6000 r-xp 00000000 fd:00 4718849 /opt/xml2/lib/libxml2.so.2.9.2
7fb4598a6000-7fb459aa5000 ---p 00150000 fd:00 4718849 /opt/xml2/lib/libxml2.so.2.9.2
7fb459aa5000-7fb459aaf000 rw-p 0014f000 fd:00 4718849 /opt/xml2/lib/libxml2.so.2.9.2
7fb459aaf000-7fb459ab0000 rw-p 00000000 00:00 0
7fb459ab0000-7fb459aec000 r-xp 00000000 fd:00 4719533 /opt/xslt/lib/libxslt.so.1.1.28
7fb459aec000-7fb459ceb000 ---p 0003c000 fd:00 4719533 /opt/xslt/lib/libxslt.so.1.1.28
7fb459ceb000-7fb459ced000 rw-p 0003b000 fd:00 4719533 /opt/xslt/lib/libxslt.so.1.1.28
7fb459ced000-7fb459cef000 rw-p 00000000 00:00 0
7fb459cef000-7fb459d4c000 r-xp 00000000 fd:00 4719118 /opt/curlssl/lib/libcurl.so.4.3.0
7fb459d4c000-7fb459f4b000 ---p 0005d000 fd:00 4719118 /opt/curlssl/lib/libcurl.so.4.3.0
7fb459f4b000-7fb459f4e000 rw-p 0005c000 fd:00 4719118 /opt/curlssl/lib/libcurl.so.4.3.0
7fb459f4e000-7fb459f50000 rw-p 00000000 00:00 0
7fb459f50000-7fb459f92000 r-xp 00000000 fd:00 4718597 /opt/pcre/lib/libpcre.so.1.2.4
7fb459f92000-7fb45a192000 ---p 00042000 fd:00 4718597 /opt/pcre/lib/libpcre.so.1.2.4
7fb45a192000-7fb45a193000 rw-p 00042000 fd:00 4718597 /opt/pcre/lib/libpcre.so.1.2.4
7fb45a193000-7fb45a197000 rw-p 00000000 00:00 0
7fb45a197000-7fb45a1c1000 r-xp 00000000 fd:00 4719502 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a1c1000-7fb45a3c0000 ---p 0002a000 fd:00 4719502 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a3c0000-7fb45a3c4000 rw-p 00029000 fd:00 4719502 /opt/libmcrypt/lib/libmcrypt.so.4.4.8
7fb45a3c4000-7fb45a3c9000 rw-p 00000000 00:00 0
7fb45a3c9000-7fb45a6a3000 r-xp 00000000 fd:00 675645 /usr/lib64/libmysqlclient.so.18.0.0
7fb45a6a3000-7fb45a8a2000 ---p 002da000 fd:00 675645 /usr/lib64/libmysqlclient.so.18.0.0
7fb45a8a2000-7fb45a926000 rw-p 002d9000 fd:00 675645 /usr/lib64/libmysqlclient.so.18.0.0
7fb45a926000-7fb45a92b000 rw-p 00000000 00:00 0
7fb45a92b000-7fb45a981000 r-xp 00000000 fd:00 4719517 /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45a981000-7fb45ab81000 ---p 00056000 fd:00 4719517 /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45ab81000-7fb45ab8a000 rw-p 00056000 fd:00 4719517 /opt/tidy/lib/libtidy-0.99.so.0.0.0
7fb45ab8a000-7fb45ab8c000 rw-p 00000000 00:00 0
7fb45ab8c000-7fb45ab9e000 r-xp 00000000 fd:00 4719566 /opt/xslt/lib/libexslt.so.0.8.17
7fb45ab9e000-7fb45ad9e000 ---p 00012000 fd:00 4719566 /opt/xslt/lib/libexslt.so.0.8.17
7fb45ad9e000-7fb45ad9f000 rw-p 00012000 fd:00 4719566 /opt/xslt/lib/libexslt.so.0.8.17
7fb45ad9f000-7fb45ada0000 rw-p 00000000 00:00 0
7fb45adad000-7fb45adae000 rw-p 00000000 00:00 0
7ffcdfd5e000-7ffcdfd73000 rw-p 00000000 00:00 0 [stack]
7ffcdfd80000-7ffcdfd81000 r-xp 00000000 00:00 0 [vdso]
I checked my ftp , there wasn't any changes.
I checked files from xenforo , there wasn't any change.
Any ideas ?