Support

pooyan · #1 06-04-2011, 04:30 AM

Hello,

i received in some times emails from lfd:
could you please help me?

PHP Code:


			
Time:    Sat Jun  4 15:55:15 2011 +0430

PID:     5463

Account: billing

Uptime:  75 seconds





Executable:



/usr/local/lsws/fcgi-bin/lsphp-5.2.17





Command Line (often faked in exploits):



lsphp5:/billing/public_html/admin/clientshosting.php





Network connections by the process (if any):



tcp: 85.10.211.***:55178 -> 85.10.211.***:2086





Files open by the process (if any):



/tmp/session_mm_litespeed503.sem (deleted)

/var/cpanel/locale/en.cdb

/tmp/eaccelerator.litespeed5463.sem.MRopAm (deleted)

/tmp/ZCUD27BPYf (deleted)

/tmp/sess_aff996ad53f70b11938beedf8ead5f58





Memory maps by the process (if any):



00400000-00a73000 r-xp 00000000 09:02 17668                              /usr/local/lsws/fcgi-bin/lsphp-5.2.17

00c72000-00cda000 rw-p 00672000 09:02 17668                              /usr/local/lsws/fcgi-bin/lsphp-5.2.17

00cda000-00ce8000 rw-p 00cda000 00:00 0

06547000-0723e000 rw-p 06547000 00:00 0                                  [heap]

36ff200000-36ff21c000 r-xp 00000000 09:02 24968067                       /lib64/ld-2.5.so

36ff41b000-36ff41c000 r--p 0001b000 09:02 24968067                       /lib64/ld-2.5.so

36ff41c000-36ff41d000 rw-p 0001c000 09:02 24968067                       /lib64/ld-2.5.so

36ff600000-36ff74e000 r-xp 00000000 09:02 24968069                       /lib64/libc-2.5.so

36ff74e000-36ff94e000 ---p 0014e000 09:02 24968069                       /lib64/libc-2.5.so

36ff94e000-36ff952000 r--p 0014e000 09:02 24968069                       /lib64/libc-2.5.so

36ff952000-36ff953000 rw-p 00152000 09:02 24968069                       /lib64/libc-2.5.so

36ff953000-36ff958000 rw-p 36ff953000 00:00 0

36ffa00000-36ffa02000 r-xp 00000000 09:02 24968232                       /lib64/libdl-2.5.so

36ffa02000-36ffc02000 ---p 00002000 09:02 24968232                       /lib64/libdl-2.5.so

36ffc02000-36ffc03000 r--p 00002000 09:02 24968232                       /lib64/libdl-2.5.so

36ffc03000-36ffc04000 rw-p 00003000 09:02 24968232                       /lib64/libdl-2.5.so



7fff952d2000-7fff952fd000 rwxp 7ffffffd2000 00:00 0                      [stack]

7fff952fe000-7fff952fe000 rw-p 7fffffffe000 00:00 0

ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

NiteWave · #2 06-04-2011, 05:25 AM

it looks clientshosting.php have a lot of access to 85.10.211.***:2086

need check what clientshosting.php is doing.

for quick test, delete or rename clientshosting.php, you may not receive such warnings any more.

pooyan · #3 06-04-2011, 05:34 AM

Quote:

Originally Posted by NiteWave

it looks clientshosting.php have a lot of access to 85.10.211.***:2086

need check what clientshosting.php is doing.

for quick test, delete or rename clientshosting.php, you may not receive such warnings any more.

I received many emails from lfd in /usr/local/lsws/fcgi-bin/lsphp-5.2.17

NiteWave · #4 06-04-2011, 05:49 AM

lsphp-5.2.17 is php engine, it will do anything php scripts tell it to do.

it's some php scripts trying to attack(maybe false alarm) your server, not php engine itself.