« previous next »
Pages: [1]

Author Topic: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached  (Read 2792 times)

0 Members and 1 Guest are viewing this topic.

Offline
furkany
*
Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« on: May 10, 2023, 09:33:28 PM »
 Hello

I always get mail like this, I wonder why. what can i do please help me thank you everyone.


Time:    Thu May 11 00:00:05 2023 +0300
PID:     827 (Parent PID:827)
Account: memcached
Uptime:  49461 seconds


Executable:

/usr/bin/memcached


Command Line (often faked in exploits):

/usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024


Network connections by the process (if any):

tcp: 127.0.0.1:11211 -> 127.0.0.1:34788


Files open by the process (if any):

/dev/null
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]


Memory maps by the process (if any):

55b808e7c000-55b808e95000 r-xp 00000000 08:03 7221025                    /usr/bin/memcached
55b809095000-55b809096000 r--p 00019000 08:03 7221025                    /usr/bin/memcached
55b809096000-55b809097000 rw-p 0001a000 08:03 7221025                    /usr/bin/memcached
55b809097000-55b80909f000 rw-p 00000000 00:00 0
55b80a096000-55b80a0b7000 rw-p 00000000 00:00 0                          [heap]
7f0774000000-7f0774027000 rw-p 00000000 00:00 0
7f0774027000-7f0778000000 ---p 00000000 00:00 0
7f077c000000-7f077c027000 rw-p 00000000 00:00 0
7f077c027000-7f0780000000 ---p 00000000 00:00 0
7f0780000000-7f0780027000 rw-p 00000000 00:00 0
7f0780027000-7f0784000000 ---p 00000000 00:00 0
7f0784000000-7f078402a000 rw-p 00000000 00:00 0
7f078402a000-7f0788000000 ---p 00000000 00:00 0
7f078aa6a000-7f078aa6b000 ---p 00000000 00:00 0
7f078aa6b000-7f078b26b000 rw-p 00000000 00:00 0
7f078b26b000-7f078b26c000 ---p 00000000 00:00 0
7f078b26c000-7f078ba6c000 rw-p 00000000 00:00 0
7f078ba6c000-7f078ba6d000 ---p 00000000 00:00 0
7f078ba6d000-7f078c26d000 rw-p 00000000 00:00 0
7f078c26d000-7f078c26e000 ---p 00000000 00:00 0
7f078c26e000-7f078ca6e000 rw-p 00000000 00:00 0
7f078ca6e000-7f078ca6f000 ---p 00000000 00:00 0
7f078ca6f000-7f078d26f000 rw-p 00000000 00:00 0
7f078d26f000-7f078d27b000 r-xp 00000000 08:03 7213201                    /usr/lib64/libnss_files-2.17.so
7f078d27b000-7f078d47a000 ---p 0000c000 08:03 7213201                    /usr/lib64/libnss_files-2.17.so
7f078d47a000-7f078d47b000 r--p 0000b000 08:03 7213201                    /usr/lib64/libnss_files-2.17.so
7f078d47b000-7f078d47c000 rw-p 0000c000 08:03 7213201                    /usr/lib64/libnss_files-2.17.so
7f078d47c000-7f078d482000 rw-p 00000000 00:00 0
7f078d482000-7f078d4e2000 r-xp 00000000 08:03 7212413                    /usr/lib64/libpcre.so.1.2.0
7f078d4e2000-7f078d6e2000 ---p 00060000 08:03 7212413                    /usr/lib64/libpcre.so.1.2.0
7f078d6e2000-7f078d6e3000 r--p 00060000 08:03 7212413                    /usr/lib64/libpcre.so.1.2.0
7f078d6e3000-7f078d6e4000 rw-p 00061000 08:03 7212413                    /usr/lib64/libpcre.so.1.2.0
7f078d6e4000-7f078d708000 r-xp 00000000 08:03 7210093                    /usr/lib64/libselinux.so.1
7f078d708000-7f078d907000 ---p 00024000 08:03 7210093                    /usr/lib64/libselinux.so.1
7f078d907000-7f078d908000 r--p 00023000 08:03 7210093                    /usr/lib64/libselinux.so.1
7f078d908000-7f078d909000 rw-p 00024000 08:03 7210093                    /usr/lib64/libselinux.so.1
7f078d909000-7f078d90b000 rw-p 00000000 00:00 0
7f078d90b000-7f078d90e000 r-xp 00000000 08:03 7212497                    /usr/lib64/libkeyutils.so.1.5
7f078d90e000-7f078db0d000 ---p 00003000 08:03 7212497                    /usr/lib64/libkeyutils.so.1.5
7f078db0d000-7f078db0e000 r--p 00002000 08:03 7212497                    /usr/lib64/libkeyutils.so.1.5
7f078db0e000-7f078db0f000 rw-p 00003000 08:03 7212497                    /usr/lib64/libkeyutils.so.1.5
7f078db0f000-7f078db11000 r-xp 00000000 08:03 7210504                    /usr/lib64/libfreebl3.so
7f078db11000-7f078dd10000 ---p 00002000 08:03 7210504                    /usr/lib64/libfreebl3.so
7f078dd10000-7f078dd11000 r--p 00001000 08:03 7210504                    /usr/lib64/libfreebl3.so
7f078dd11000-7f078dd12000 rw-p 00002000 08:03 7210504                    /usr/lib64/libfreebl3.so
7f078dd12000-7f078dd20000 r-xp 00000000 08:03 7212736                    /usr/lib64/libkrb5support.so.0.1
7f078dd20000-7f078df20000 ---p 0000e000 08:03 7212736                    /usr/lib64/libkrb5support.so.0.1
7f078df20000-7f078df21000 r--p 0000e000 08:03 7212736                    /usr/lib64/libkrb5support.so.0.1
7f078df21000-7f078df22000 rw-p 0000f000 08:03 7212736                    /usr/lib64/libkrb5support.so.0.1
7f078df22000-7f078df25000 r-xp 00000000 08:03 7213222                    /usr/lib64/libcom_err.so.2.1
7f078df25000-7f078e124000 ---p 00003000 08:03 7213222                    /usr/lib64/libcom_err.so.2.1
7f078e124000-7f078e125000 r--p 00002000 08:03 7213222                    /usr/lib64/libcom_err.so.2.1
7f078e125000-7f078e126000 rw-p 00003000 08:03 7213222                    /usr/lib64/libcom_err.so.2.1
7f078e126000-7f078e157000 r-xp 00000000 08:03 7212660                    /usr/lib64/libk5crypto.so.3.1
7f078e157000-7f078e356000 ---p 00031000 08:03 7212660                    /usr/lib64/libk5crypto.so.3.1
7f078e356000-7f078e358000 r--p 00030000 08:03 7212660                    /usr/lib64/libk5crypto.so.3.1
7f078e358000-7f078e359000 rw-p 00032000 08:03 7212660                    /usr/lib64/libk5crypto.so.3.1
7f078e359000-7f078e432000 r-xp 00000000 08:03 7210063                    /usr/lib64/libkrb5.so.3.3
7f078e432000-7f078e631000 ---p 000d9000 08:03 7210063                    /usr/lib64/libkrb5.so.3.3
7f078e631000-7f078e63f000 r--p 000d8000 08:03 7210063                    /usr/lib64/libkrb5.so.3.3
7f078e63f000-7f078e642000 rw-p 000e6000 08:03 7210063                    /usr/lib64/libkrb5.so.3.3
7f078e642000-7f078e68c000 r-xp 00000000 08:03 7210061                    /usr/lib64/libgssapi_krb5.so.2.2
7f078e68c000-7f078e88c000 ---p 0004a000 08:03 7210061                    /usr/lib64/libgssapi_krb5.so.2.2
7f078e88c000-7f078e88d000 r--p 0004a000 08:03 7210061                    /usr/lib64/libgssapi_krb5.so.2.2
7f078e88d000-7f078e88f000 rw-p 0004b000 08:03 7210061                    /usr/lib64/libgssapi_krb5.so.2.2
7f078e88f000-7f078e897000 r-xp 00000000 08:03 7212237                    /usr/lib64/libcrypt-2.17.so
7f078e897000-7f078ea96000 ---p 00008000 08:03 7212237                    /usr/lib64/libcrypt-2.17.so
7f078ea96000-7f078ea97000 r--p 00007000 08:03 7212237                    /usr/lib64/libcrypt-2.17.so
7f078ea97000-7f078ea98000 rw-p 00008000 08:03 7212237                    /usr/lib64/libcrypt-2.17.so
7f078ea98000-7f078eac6000 rw-p 00000000 00:00 0
7f078eac6000-7f078eadc000 r-xp 00000000 08:03 7210090                    /usr/lib64/libresolv-2.17.so
7f078eadc000-7f078ecdc000 ---p 00016000 08:03 7210090                    /usr/lib64/libresolv-2.17.so
7f078ecdc000-7f078ecdd000 r--p 00016000 08:03 7210090                    /usr/lib64/libresolv-2.17.so
7f078ecdd000-7f078ecde000 rw-p 00017000 08:03 7210090                    /usr/lib64/libresolv-2.17.so
7f078ecde000-7f078ece0000 rw-p 00000000 00:00 0
7f078ece0000-7f078ece2000 r-xp 00000000 08:03 7212291                    /usr/lib64/libdl-2.17.so
7f078ece2000-7f078eee2000 ---p 00002000 08:03 7212291                    /usr/lib64/libdl-2.17.so
7f078eee2000-7f078eee3000 r--p 00002000 08:03 7212291                    /usr/lib64/libdl-2.17.so
7f078eee3000-7f078eee4000 rw-p 00003000 08:03 7212291                    /usr/lib64/libdl-2.17.so
7f078eee4000-7f078f0a8000 r-xp 00000000 08:03 7212585                    /usr/lib64/libc-2.17.so
7f078f0a8000-7f078f2a7000 ---p 001c4000 08:03 7212585                    /usr/lib64/libc-2.17.so
7f078f2a7000-7f078f2ab000 r--p 001c3000 08:03 7212585                    /usr/lib64/libc-2.17.so
7f078f2ab000-7f078f2ad000 rw-p 001c7000 08:03 7212585                    /usr/lib64/libc-2.17.so
7f078f2ad000-7f078f2b2000 rw-p 00000000 00:00 0
7f078f2b2000-7f078f2c9000 r-xp 00000000 08:03 7212475                    /usr/lib64/libpthread-2.17.so
7f078f2c9000-7f078f4c8000 ---p 00017000 08:03 7212475                    /usr/lib64/libpthread-2.17.so
7f078f4c8000-7f078f4c9000 r--p 00016000 08:03 7212475                    /usr/lib64/libpthread-2.17.so
7f078f4c9000-7f078f4ca000 rw-p 00017000 08:03 7212475                    /usr/lib64/libpthread-2.17.so
7f078f4ca000-7f078f4ce000 rw-p 00000000 00:00 0
7f078f4ce000-7f078f4ea000 r-xp 00000000 08:03 7212258                    /usr/lib64/libsasl2.so.3.0.0
7f078f4ea000-7f078f6e9000 ---p 0001c000 08:03 7212258                    /usr/lib64/libsasl2.so.3.0.0
7f078f6e9000-7f078f6ea000 r--p 0001b000 08:03 7212258                    /usr/lib64/libsasl2.so.3.0.0
7f078f6ea000-7f078f6eb000 rw-p 0001c000 08:03 7212258                    /usr/lib64/libsasl2.so.3.0.0
7f078f6eb000-7f078f731000 r-xp 00000000 08:03 7217687                    /usr/lib64/libevent-2.0.so.5.1.9
7f078f731000-7f078f930000 ---p 00046000 08:03 7217687                    /usr/lib64/libevent-2.0.so.5.1.9
7f078f930000-7f078f931000 r--p 00045000 08:03 7217687                    /usr/lib64/libevent-2.0.so.5.1.9
7f078f931000-7f078f932000 rw-p 00046000 08:03 7217687                    /usr/lib64/libevent-2.0.so.5.1.9
7f078f932000-7f078f933000 rw-p 00000000 00:00 0
7f078f933000-7f078f955000 r-xp 00000000 08:03 7216402                    /usr/lib64/ld-2.17.so
7f078fa90000-7f078fb43000 rw-p 00000000 00:00 0
7f078fb53000-7f078fb54000 rw-p 00000000 00:00 0
7f078fb54000-7f078fb55000 r--p 00021000 08:03 7216402                    /usr/lib64/ld-2.17.so
7f078fb55000-7f078fb56000 rw-p 00022000 08:03 7216402                    /usr/lib64/ld-2.17.so
7f078fb56000-7f078fb57000 rw-p 00000000 00:00 0
7ffd39de0000-7ffd39e01000 rw-p 00000000 00:00 0                          [stack]
7ffd39e75000-7ffd39e77000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Logged
Offline
cyberspace
**
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #1 on: May 11, 2023, 10:08:45 AM »
Hi,

memcached is a caching daemon/service.

If your websites don't use memcached and you don't need it then just stop memcached.
Code: [Select]
service memcached stoprun as root in console (terminal).

In other case you put the line:
Code: [Select]
exe:/usr/bin/memcachedinto the file: /etc/csf/csf.pignore
and then restart CSF:
Code: [Select]
csf -rrun it as root in console (terminal).
Logged
Offline
overseer
*****
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #2 on: May 11, 2023, 12:51:36 PM »
And to underscore the importance of not running unneeded services: memcached is often used in amplification attacks to send junk traffic at DDoS targets. Memcached is a potent weapon in this case, amplifying traffic up to 50,000x the original payload!

https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/
Logged
Offline
furkany
*
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #3 on: May 11, 2023, 08:55:13 PM »
thank you guys all. but this time, as I mentioned below, an e-mail keeps coming.

Time:         Thu May 11 23:01:14 2023 +0300

Account:      redis
Resource:     Process Time
Exceeded:     132330 > 1800 (seconds)
Logged
Offline
overseer
*****
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #4 on: May 12, 2023, 01:39:16 PM »
Again, same advice applies -- if you don't need to run Redis, disable it. If you need to run it, add it to the CSF/LDF pignore file. When I was first setting up CWP servers, I had to add several processes to the pignore file, as I was being bothered to death by several message types. I also had to increase the IMAP authentication failure block thresholds, as users would often shoot themselves in the foot with bad authentication plugged into their mail clients -- resulting in their IP getting blocked. Thank you Thunderbird for the ridiculous every 5 min mailbox checking default! (In the days before push notifications, there was POP...)
Logged
Offline
furkany
*
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #5 on: May 12, 2023, 09:50:43 PM »
Time:     Sat May 13 00:41:41 2023 +0300
IP:       46.148.40.198 (IR/Iran/-)

Thanks for your reply, I did what you said and closed both of them. This time, as follows, a continuous mail comes every 2 minutes. They try with different ip addresses. How can I prevent this. Thank you very much in advance.



Failures: 5 (smtpauth)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SMTPAUTH]

Log entries:

May 13 00:08:23 cwp postfix/smtpd[24472]: warning: unknown[46.148.40.198]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 00:16:31 cwp postfix/smtpd[25050]: warning: unknown[46.148.40.198]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 00:24:43 cwp postfix/smtpd[25457]: warning: unknown[46.148.40.198]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 00:31:45 cwp postfix/smtpd[27316]: warning: unknown[46.148.40.198]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 13 00:41:36 cwp postfix/smtpd[28342]: warning: unknown[46.148.40.198]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Logged
Offline
overseer
*****
Re: Help me. lfd on cwp.xxxxxx.com: Suspicious process running under user memcached
« Reply #6 on: May 12, 2023, 10:51:10 PM »
Likewise, turn off SMTP AUTH failure notices or you will be bothered to death by all the script kiddies (and Chinese nationals) attempting various username:password combos.

Edit /etc/csf/csf.conf
Code: [Select]
LF_PERMBLOCK_ALERT = "0"
Logged
Pages: [1]
« previous next »