lfd on hostname.server.com: Suspicious process running under

Discussion in 'Install/Configuration' started by pooyan, Jun 4, 2011.

  1. pooyan

    pooyan New Member

    Hello,

    i received in some times emails from lfd:
    could you please help me?

    PHP:
    Time:    Sat Jun  4 15:55:15 2011 +0430
    PID
    :     5463
    Account
    billing
    Uptime
    :  75 seconds


    Executable
    :

    /
    usr/local/lsws/fcgi-bin/lsphp-5.2.17


    Command Line 
    (often faked in exploits):

    lsphp5:/billing/public_html/admin/clientshosting.php


    Network connections by the process 
    (if any):

    tcp85.10.211.***:55178 -> 85.10.211.***:2086


    Files open by the process 
    (if any):

    /
    tmp/session_mm_litespeed503.sem (deleted)
    /var/
    cpanel/locale/en.cdb
    /tmp/eaccelerator.litespeed5463.sem.MRopAm (deleted)
    /
    tmp/ZCUD27BPYf (deleted)
    /
    tmp/sess_aff996ad53f70b11938beedf8ead5f58


    Memory maps by the process 
    (if any):

    00400000-00a73000 r-xp 00000000 09:02 17668                              /usr/local/lsws/fcgi-bin/lsphp-5.2.17
    00c72000
    -00cda000 rw-p 00672000 09:02 17668                              /usr/local/lsws/fcgi-bin/lsphp-5.2.17
    00cda000
    -00ce8000 rw-p 00cda000 00:00 0
    06547000
    -0723e000 rw-p 06547000 00:00 0                                  [heap]
    36ff200000-36ff21c000 r-xp 00000000 09:02 24968067                       /lib64/ld-2.5.so
    36ff41b000
    -36ff41c000 r--p 0001b000 09:02 24968067                       /lib64/ld-2.5.so
    36ff41c000
    -36ff41d000 rw-p 0001c000 09:02 24968067                       /lib64/ld-2.5.so
    36ff600000
    -36ff74e000 r-xp 00000000 09:02 24968069                       /lib64/libc-2.5.so
    36ff74e000
    -36ff94e000 ---p 0014e000 09:02 24968069                       /lib64/libc-2.5.so
    36ff94e000
    -36ff952000 r--p 0014e000 09:02 24968069                       /lib64/libc-2.5.so
    36ff952000
    -36ff953000 rw-p 00152000 09:02 24968069                       /lib64/libc-2.5.so
    36ff953000
    -36ff958000 rw-p 36ff953000 00:00 0
    36ffa00000
    -36ffa02000 r-xp 00000000 09:02 24968232                       /lib64/libdl-2.5.so
    36ffa02000
    -36ffc02000 ---p 00002000 09:02 24968232                       /lib64/libdl-2.5.so
    36ffc02000
    -36ffc03000 r--p 00002000 09:02 24968232                       /lib64/libdl-2.5.so
    36ffc03000
    -36ffc04000 rw-p 00003000 09:02 24968232                       /lib64/libdl-2.5.so

    7fff952d2000
    -7fff952fd000 rwxp 7ffffffd2000 00:00 0                      [stack]
    7fff952fe000-7fff952fe000 rw-p 7fffffffe000 00:00 0
    ffffffffff600000
    -ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
  2. NiteWave

    NiteWave Administrator

    it looks clientshosting.php have a lot of access to 85.10.211.***:2086

    need check what clientshosting.php is doing.

    for quick test, delete or rename clientshosting.php, you may not receive such warnings any more.
  3. pooyan

    pooyan New Member

    I received many emails from lfd in /usr/local/lsws/fcgi-bin/lsphp-5.2.17
  4. NiteWave

    NiteWave Administrator

    lsphp-5.2.17 is php engine, it will do anything php scripts tell it to do.

    it's some php scripts trying to attack(maybe false alarm) your server, not php engine itself.

Share This Page