1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user *** with xenforo index

Discussion in 'Server Configuration and Hosting' started by Ugur Ilmaz, Aug 25, 2016.

  1. Ugur Ilmaz

    Ugur Ilmaz Member

    Hello,

    I got 5 mails like this from csf , it seems like someone using my index.php in order to attack someone. How is this possible ?


    Code:
    ime:    Thu Aug 25 20:32:45 2016 +0300
    PID:     601 (Parent PID:32722)
    Account: *****
    Uptime:  62 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php /home/****/public_html/forums/index.php
    
    
    Network connections by the process (if any):
    
    tcp: myip -> somewebsiteip:80
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00400000-0109e000 r-xp 00000000 fd:00 680102                             /usr/bin/php
    0129e000-0136d000 rw-p 00c9e000 fd:00 680102                             /usr/bin/php
    0136d000-01392000 rw-p 00000000 00:00 0
    02536000-03608000 rw-p 00000000 00:00 0                                  [heap]
    
    7fb453dac000-7fb453e48000 rw-p 00000000 00:00 0
    7fb453e89000-7fb453f0b000 rw-p 00000000 00:00 0
    7fb453f0b000-7fb454000000 r--s 00000000 fd:00 3672509                    /var/db/nscd/hosts
    7fb454000000-7fb454021000 rw-p 00000000 00:00 0
    7fb454021000-7fb458000000 ---p 00000000 00:00 0
    7fb45801c000-7fb45805d000 rw-p 00000000 00:00 0
    7fb45805d000-7fb458092000 r--s 00000000 fd:00 3672510                    /var/db/nscd/services
    7fb458092000-7fb458093000 ---p 00000000 00:00 0
    7fb458093000-7fb458a93000 rw-p 00000000 00:00 0
    7fb458a93000-7fb458a9a000 r-xp 00000000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fb458a9a000-7fb458c99000 ---p 00007000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fb458c99000-7fb458c9a000 rw-p 00006000 fd:00 680091                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fb458c9a000-7fb458d75000 r-xp 00000000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fb458d75000-7fb458f75000 ---p 000db000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fb458f75000-7fb458f79000 rw-p 000db000 fd:00 680095                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fb458f79000-7fb458f90000 r-xp 00000000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fb458f90000-7fb459190000 ---p 00017000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fb459190000-7fb459193000 rw-p 00017000 fd:00 663712                     /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fb459193000-7fb4592a4000 r-xp 00000000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fb4592a4000-7fb4593a3000 ---p 00111000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fb4593a3000-7fb4593b3000 rw-p 00110000 fd:00 678086                     /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fb4593b3000-7fb459551000 rw-p 00000000 00:00 0
    7fb459551000-7fb459553000 r-xp 00000000 fd:00 2490385                    /lib64/libfreebl3.so
    7fb459553000-7fb459752000 ---p 00002000 fd:00 2490385                    /lib64/libfreebl3.so
    7fb459752000-7fb459753000 r--p 00001000 fd:00 2490385                    /lib64/libfreebl3.so
    7fb459753000-7fb459754000 rw-p 00002000 fd:00 2490385                    /lib64/libfreebl3.so
    7fb459754000-7fb459756000 rw-p 00000000 00:00 0
    7fb459756000-7fb4598a6000 r-xp 00000000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
    7fb4598a6000-7fb459aa5000 ---p 00150000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
    7fb459aa5000-7fb459aaf000 rw-p 0014f000 fd:00 4718849                    /opt/xml2/lib/libxml2.so.2.9.2
    7fb459aaf000-7fb459ab0000 rw-p 00000000 00:00 0
    7fb459ab0000-7fb459aec000 r-xp 00000000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
    7fb459aec000-7fb459ceb000 ---p 0003c000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
    7fb459ceb000-7fb459ced000 rw-p 0003b000 fd:00 4719533                    /opt/xslt/lib/libxslt.so.1.1.28
    7fb459ced000-7fb459cef000 rw-p 00000000 00:00 0
    7fb459cef000-7fb459d4c000 r-xp 00000000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
    7fb459d4c000-7fb459f4b000 ---p 0005d000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
    7fb459f4b000-7fb459f4e000 rw-p 0005c000 fd:00 4719118                    /opt/curlssl/lib/libcurl.so.4.3.0
    7fb459f4e000-7fb459f50000 rw-p 00000000 00:00 0
    7fb459f50000-7fb459f92000 r-xp 00000000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
    7fb459f92000-7fb45a192000 ---p 00042000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
    7fb45a192000-7fb45a193000 rw-p 00042000 fd:00 4718597                    /opt/pcre/lib/libpcre.so.1.2.4
    7fb45a193000-7fb45a197000 rw-p 00000000 00:00 0
    7fb45a197000-7fb45a1c1000 r-xp 00000000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7fb45a1c1000-7fb45a3c0000 ---p 0002a000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7fb45a3c0000-7fb45a3c4000 rw-p 00029000 fd:00 4719502                    /opt/libmcrypt/lib/libmcrypt.so.4.4.8
    7fb45a3c4000-7fb45a3c9000 rw-p 00000000 00:00 0
    7fb45a3c9000-7fb45a6a3000 r-xp 00000000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
    7fb45a6a3000-7fb45a8a2000 ---p 002da000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
    7fb45a8a2000-7fb45a926000 rw-p 002d9000 fd:00 675645                     /usr/lib64/libmysqlclient.so.18.0.0
    7fb45a926000-7fb45a92b000 rw-p 00000000 00:00 0
    7fb45a92b000-7fb45a981000 r-xp 00000000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
    7fb45a981000-7fb45ab81000 ---p 00056000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
    7fb45ab81000-7fb45ab8a000 rw-p 00056000 fd:00 4719517                    /opt/tidy/lib/libtidy-0.99.so.0.0.0
    7fb45ab8a000-7fb45ab8c000 rw-p 00000000 00:00 0
    7fb45ab8c000-7fb45ab9e000 r-xp 00000000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
    7fb45ab9e000-7fb45ad9e000 ---p 00012000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
    7fb45ad9e000-7fb45ad9f000 rw-p 00012000 fd:00 4719566                    /opt/xslt/lib/libexslt.so.0.8.17
    7fb45ad9f000-7fb45ada0000 rw-p 00000000 00:00 0
    7fb45adad000-7fb45adae000 rw-p 00000000 00:00 0
    7ffcdfd5e000-7ffcdfd73000 rw-p 00000000 00:00 0                          [stack]
    7ffcdfd80000-7ffcdfd81000 r-xp 00000000 00:00 0                          [vdso]
    I checked my ftp , there wasn't any changes.
    I checked files from xenforo , there wasn't any change.
    Any ideas ?
     
  2. Liam W

    Liam W Well-Known Member

    What is the somewebsiteip? It's possible it's just a connection to Gravtar or something.

    Liam
     
  3. Ugur Ilmaz

    Ugur Ilmaz Member

    5.79.74.36
    151.249.88.170

    I don't think they are.

    And I'm getting this in lfd logs ;


    *Suspicious Process* PID:26430 PPID:26416 User:***** Uptime:118 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/****/public_html/forums/index.php
     
  4. suineg

    suineg Member

    The .170 definitely looks like something suspicious, it's a .cn webserver.

    The other is something weird but in .nl
     
  5. Ugur Ilmaz

    Ugur Ilmaz Member

    I have 5 ip's like that.
    Cpanel says that attacker used xenforo's index.php in order to do that.
     

Share This Page