Author Topic: lfd on SERVERName : Suspicious process running under user netdata  (Read 1273 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
hello  :)
I hope you doing well ...
I got email: lfd on servername : Suspicious process running under user netdata >>>>>>>>>

it's annoying
how can i stop this alert?
or disable netdata?

Regards
« Last Edit: February 26, 2019, 02:09:54 PM by Mighty Dr.Wolf »

Offline
***
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #1 on: February 27, 2019, 03:46:20 AM »
Post the complete content of that mail.

To supress that messages, you must to include something like the following (for example for "amavisd") in the file "/etc/csf/csf.pignore":
Code: [Select]
exe:/usr/bin/perl
user:amavis
cmd:/usr/sbin/amavisd

Regards,
Netino

Offline
*
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #2 on: February 27, 2019, 05:58:16 PM »
thanks for answering
this is all the email

Code: [Select]
Time:    Wed Feb 27 12:01:51 2019 -0500
PID:     8276 (Parent PID:8145)
Account: netdata
Uptime:  236781 seconds


Executable:

/usr/bin/python2.7


Command Line (often faked in exploits):

/usr/bin/python /usr/libexec/netdata/plugins.d/python.d.plugin 1


Network connections by the process (if any):

tcp: 127.0.0.1:40696 -> 127.0.0.1:80
tcp6: 0:0:0:0:0:0:0:1:58076 -> 0:0:0:0:0:0:0:1:8181




Files open by the process (if any):

/dev/null
/var/log/netdata/error.log-20190226 (deleted)
/dev/urandom


Memory maps by the process (if any):

00400000-00401000 r-xp 00000000 fd:01 11824                              /usr/bin/python2.7
00600000-00601000 r--p 00000000 fd:01 11824                              /usr/bin/python2.7
00601000-00602000 rw-p 00001000 fd:01 11824                              /usr/bin/python2.7
01fb5000-026cf000 rw-p 00000000 00:00 0                                  [heap]
7f86a468c000-7f86a468d000 ---p 00000000 00:00 0
7f86a468d000-7f86a4e8d000 rw-p 00000000 00:00 0
7f86a4e8d000-7f86a4e8e000 ---p 00000000 00:00 0
7f86a4e8e000-7f86a568e000 rw-p 00000000 00:00 0
7f86a568e000-7f86a568f000 ---p 00000000 00:00 0
7f86a568f000-7f86a5e8f000 rw-p 00000000 00:00 0
7f86a5e8f000-7f86a5e90000 ---p 00000000 00:00 0
7f86a5e90000-7f86a6690000 rw-p 00000000 00:00 0
7f86a6690000-7f86a6691000 ---p 00000000 00:00 0
7f86a6691000-7f86a6e91000 rw-p 00000000 00:00 0
7f86a6e91000-7f86a6e93000 r-xp 00000000 fd:01 10787                      /usr/lib64/python2.7/lib-dynload/_bisectmodule.so
7f86a6e93000-7f86a7092000 ---p 00002000 fd:01 10787                      /usr/lib64/python2.7/lib-dynload/_bisectmodule.so
7f86a7092000-7f86a7093000 r--p 00001000 fd:01 10787                      /usr/lib64/python2.7/lib-dynload/_bisectmodule.so
7f86a7093000-7f86a7094000 rw-p 00002000 fd:01 10787                      /usr/lib64/python2.7/lib-dynload/_bisectmodule.so
7f86a7094000-7f86a7114000 rw-p 00000000 00:00 0
7f86a7214000-7f86a72d4000 rw-p 00000000 00:00 0
7f86a72d4000-7f86a72e2000 r-xp 00000000 fd:01 24829                      /usr/lib64/libsensors.so.4.4.0
7f86a72e2000-7f86a74e1000 ---p 0000e000 fd:01 24829                      /usr/lib64/libsensors.so.4.4.0
7f86a74e1000-7f86a74e2000 r--p 0000d000 fd:01 24829                      /usr/lib64/libsensors.so.4.4.0
7f86a74e2000-7f86a74e3000 rw-p 0000e000 fd:01 24829                      /usr/lib64/libsensors.so.4.4.0
7f86a74e3000-7f86a74ef000 r-xp 00000000 fd:01 14810                      /usr/lib64/libnss_files-2.17.so
7f86a74ef000-7f86a76ee000 ---p 0000c000 fd:01 14810                      /usr/lib64/libnss_files-2.17.so
7f86a76ee000-7f86a76ef000 r--p 0000b000 fd:01 14810                      /usr/lib64/libnss_files-2.17.so
7f86a76ef000-7f86a76f0000 rw-p 0000c000 fd:01 14810                      /usr/lib64/libnss_files-2.17.so
7f86a76f0000-7f86a76f6000 rw-p 00000000 00:00 0
7f86a76f6000-7f86a76f8000 r-xp 00000000 fd:01 4824                       /usr/lib64/libfreebl3.so
7f86a76f8000-7f86a78f7000 ---p 00002000 fd:01 4824                       /usr/lib64/libfreebl3.so
7f86a78f7000-7f86a78f8000 r--p 00001000 fd:01 4824                       /usr/lib64/libfreebl3.so
7f86a78f8000-7f86a78f9000 rw-p 00002000 fd:01 4824                       /usr/lib64/libfreebl3.so
7f86a78f9000-7f86a7900000 r-xp 00000000 fd:01 14828                      /usr/lib64/librt-2.17.so
7f86a7900000-7f86a7aff000 ---p 00007000 fd:01 14828                      /usr/lib64/librt-2.17.so
7f86a7aff000-7f86a7b00000 r--p 00006000 fd:01 14828                      /usr/lib64/librt-2.17.so
7f86a7b00000-7f86a7b01000 rw-p 00007000 fd:01 14828                      /usr/lib64/librt-2.17.so
7f86a7b01000-7f86a7b09000 r-xp 00000000 fd:01 4841                       /usr/lib64/libcrypt-2.17.so
7f86a7b09000-7f86a7d08000 ---p 00008000 fd:01 4841                       /usr/lib64/libcrypt-2.17.so
7f86a7d08000-7f86a7d09000 r--p 00007000 fd:01 4841                       /usr/lib64/libcrypt-2.17.so
7f86a7d09000-7f86a7d0a000 rw-p 00008000 fd:01 4841                       /usr/lib64/libcrypt-2.17.so
7f86a7d0a000-7f86a7d38000 rw-p 00000000 00:00 0
7f86a7d38000-7f86a7d72000 r-xp 00000000 fd:01 21315                      /usr/lib64/libnspr4.so
7f86a7d72000-7f86a7f71000 ---p 0003a000 fd:01 21315                      /usr/lib64/libnspr4.so
7f86a7f71000-7f86a7f72000 r--p 00039000 fd:01 21315                      /usr/lib64/libnspr4.so
7f86a7f72000-7f86a7f74000 rw-p 0003a000 fd:01 21315                      /usr/lib64/libnspr4.so
7f86a7f74000-7f86a7f76000 rw-p 00000000 00:00 0
7f86a7f76000-7f86a7f7a000 r-xp 00000000 fd:01 21316                      /usr/lib64/libplc4.so
7f86a7f7a000-7f86a8179000 ---p 00004000 fd:01 21316                      /usr/lib64/libplc4.so
7f86a8179000-7f86a817a000 r--p 00003000 fd:01 21316                      /usr/lib64/libplc4.so
7f86a817a000-7f86a817b000 rw-p 00004000 fd:01 21316                      /usr/lib64/libplc4.so
7f86a817b000-7f86a817e000 r-xp 00000000 fd:01 21318                      /usr/lib64/libplds4.so
7f86a817e000-7f86a837d000 ---p 00003000 fd:01 21318                      /usr/lib64/libplds4.so
7f86a837d000-7f86a837e000 r--p 00002000 fd:01 21318                      /usr/lib64/libplds4.so
7f86a837e000-7f86a837f000 rw-p 00003000 fd:01 21318                      /usr/lib64/libplds4.so
7f86a837f000-7f86a83a7000 r-xp 00000000 fd:01 14731                      /usr/lib64/libnssutil3.so
7f86a83a7000-7f86a85a7000 ---p 00028000 fd:01 14731                      /usr/lib64/libnssutil3.so
7f86a85a7000-7f86a85ae000 r--p 00028000 fd:01 14731                      /usr/lib64/libnssutil3.so
7f86a85ae000-7f86a85af000 rw-p 0002f000 fd:01 14731                      /usr/lib64/libnssutil3.so
7f86a85af000-7f86a86d3000 r-xp 00000000 fd:01 8421                       /usr/lib64/libnss3.so
7f86a86d3000-7f86a88d3000 ---p 00124000 fd:01 8421                       /usr/lib64/libnss3.so
7f86a88d3000-7f86a88d8000 r--p 00124000 fd:01 8421                       /usr/lib64/libnss3.so
7f86a88d8000-7f86a88da000 rw-p 00129000 fd:01 8421                       /usr/lib64/libnss3.so
7f86a88da000-7f86a88dc000 rw-p 00000000 00:00 0
7f86a88dc000-7f86a8900000 r-xp 00000000 fd:01 16757                      /usr/lib64/libsmime3.so
7f86a8900000-7f86a8aff000 ---p 00024000 fd:01 16757                      /usr/lib64/libsmime3.so
7f86a8aff000-7f86a8b02000 r--p 00023000 fd:01 16757                      /usr/lib64/libsmime3.so
7f86a8b02000-7f86a8b03000 rw-p 00026000 fd:01 16757                      /usr/lib64/libsmime3.so
7f86a8b03000-7f86a8b50000 r-xp 00000000 fd:01 16758                      /usr/lib64/libssl3.so
7f86a8b50000-7f86a8d4f000 ---p 0004d000 fd:01 16758                      /usr/lib64/libssl3.so
7f86a8d4f000-7f86a8d53000 r--p 0004c000 fd:01 16758                      /usr/lib64/libssl3.so
7f86a8d53000-7f86a8d54000 rw-p 00050000 fd:01 16758                      /usr/lib64/libssl3.so
7f86a8d54000-7f86a8d55000 rw-p 00000000 00:00 0
7f86a8d55000-7f86a8d71000 r-xp 00000000 fd:01 6078                       /usr/lib64/libsasl2.so.3.0.0
7f86a8d71000-7f86a8f70000 ---p 0001c000 fd:01 6078                       /usr/lib64/libsasl2.so.3.0.0
7f86a8f70000-7f86a8f71000 r--p 0001b000 fd:01 6078                       /usr/lib64/libsasl2.so.3.0.0
7f86a8f71000-7f86a8f72000 rw-p 0001c000 fd:01 6078                       /usr/lib64/libsasl2.so.3.0.0
7f86a8f72000-7f86a8f80000 r-xp 00000000 fd:01 9772                       /usr/lib64/liblber-2.4.so.2.10.7
7f86a8f80000-7f86a917f000 ---p 0000e000 fd:01 9772                       /usr/lib64/liblber-2.4.so.2.10.7
7f86a917f000-7f86a9180000 r--p 0000d000 fd:01 9772                       /usr/lib64/liblber-2.4.so.2.10.7
7f86a9180000-7f86a9181000 rw-p 0000e000 fd:01 9772                       /usr/lib64/liblber-2.4.so.2.10.7
7f86a9181000-7f86a91da000 r-xp 00000000 fd:01 16768                      /usr/lib64/libldap_r-2.4.so.2.10.7
7f86a91da000-7f86a93da000 ---p 00059000 fd:01 16768                      /usr/lib64/libldap_r-2.4.so.2.10.7
7f86a93da000-7f86a93dc000 r--p 00059000 fd:01 16768                      /usr/lib64/libldap_r-2.4.so.2.10.7
7f86a93dc000-7f86a93dd000 rw-p 0005b000 fd:01 16768                      /usr/lib64/libldap_r-2.4.so.2.10.7
7f86a93dd000-7f86a93e0000 rw-p 00000000 00:00 0
7f86a93e0000-7f86a940c000 r-xp 00000000 fd:01 27893                      /usr/lib64/libpq.so.5.5
7f86a940c000-7f86a960b000 ---p 0002c000 fd:01 27893                      /usr/lib64/libpq.so.5.5
7f86a960b000-7f86a960d000 r--p 0002b000 fd:01 27893                      /usr/lib64/libpq.so.5.5
7f86a960d000-7f86a960f000 rw-p 0002d000 fd:01 27893                      /usr/lib64/libpq.so.5.5
7f86a960f000-7f86a9638000 r-xp 00000000 fd:01 916920                     /usr/lib64/python2.7/site-packages/psycopg2/_psycopg.so
7f86a9638000-7f86a9837000 ---p 00029000 fd:01 916920                     /usr/lib64/python2.7/site-packages/psycopg2/_psycopg.so
7f86a9837000-7f86a9838000 r--p 00028000 fd:01 916920                     /usr/lib64/python2.7/site-packages/psycopg2/_psycopg.so
7f86a9838000-7f86a983e000 rw-p 00029000 fd:01 916920                     /usr/lib64/python2.7/site-packages/psycopg2/_psycopg.so
7f86a983e000-7f86a98be000 rw-p 00000000 00:00 0
7f86a98be000-7f86a98d3000 r-xp 00000000 fd:01 21386                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f86a98d3000-7f86a9ad2000 ---p 00015000 fd:01 21386                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f86a9ad2000-7f86a9ad3000 r--p 00014000 fd:01 21386                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f86a9ad3000-7f86a9ad4000 rw-p 00015000 fd:01 21386                      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f86a9ad4000-7f86a9bbd000 r-xp 00000000 fd:01 5158                       /usr/lib64/libstdc++.so.6.0.19
7f86a9bbd000-7f86a9dbc000 ---p 000e9000 fd:01 5158                       /usr/lib64/libstdc++.so.6.0.19
7f86a9dbc000-7f86a9dc4000 r--p 000e8000 fd:01 5158                       /usr/lib64/libstdc++.so.6.0.19
7f86a9dc4000-7f86a9dc6000 rw-p 000f0000 fd:01 5158                       /usr/lib64/libstdc++.so.6.0.19
7f86a9dc6000-7f86a9ddb000 rw-p 00000000 00:00 0
7f86a9ddb000-7f86aa0fb000 r-xp 00000000 fd:01 22220                      /usr/lib64/libmysqlclient.so.18.0.0
7f86aa0fb000-7f86aa2fa000 ---p 00320000 fd:01 22220                      /usr/lib64/libmysqlclient.so.18.0.0
7f86aa2fa000-7f86aa302000 r--p 0031f000 fd:01 22220                      /usr/lib64/libmysqlclient.so.18.0.0
7f86aa302000-7f86aa375000 rw-p 00327000 fd:01 22220                      /usr/lib64/libmysqlclient.so.18.0.0
7f86aa375000-7f86aa37f000 rw-p 00000000 00:00 0
7f86aa37f000-7f86aa389000 r-xp 00000000 fd:01 22533                      /usr/lib64/python2.7/site-packages/_mysql.so
7f86aa389000-7f86aa589000 ---p 0000a000 fd:01 22533                      /usr/lib64/python2.7/site-packages/_mysql.so
7f86aa589000-7f86aa58a000 r--p 0000a000 fd:01 22533                      /usr/lib64/python2.7/site-packages/_mysql.so
7f86aa58a000-7f86aa58e000 rw-p 0000b000 fd:01 22533                      /usr/lib64/python2.7/site-packages/_mysql.so
7f86aa58e000-7f86aa74e000 rw-p 00000000 00:00 0
7f86aa74e000-7f86aa756000 r-xp 00000000 fd:01 36559                      /usr/lib64/python2.7/lib-dynload/_json.so
7f86aa756000-7f86aa955000 ---p 00008000 fd:01 36559                      /usr/lib64/python2.7/lib-dynload/_json.so
7f86aa955000-7f86aa956000 r--p 00007000 fd:01 36559                      /usr/lib64/python2.7/lib-dynload/_json.so
7f86aa956000-7f86aa957000 rw-p 00008000 fd:01 36559                      /usr/lib64/python2.7/lib-dynload/_json.so
7f86aa957000-7f86aa997000 rw-p 00000000 00:00 0
7f86aa997000-7f86aa99b000 r-xp 00000000 fd:01 10852                      /usr/lib64/python2.7/lib-dynload/zlibmodule.so
7f86aa99b000-7f86aab9a000 ---p 00004000 fd:01 10852                      /usr/lib64/python2.7/lib-dynload/zlibmodule.so
7f86aab9a000-7f86aab9b000 r--p 00003000 fd:01 10852                      /usr/lib64/python2.7/lib-dynload/zlibmodule.so
7f86aab9b000-7f86aab9d000 rw-p 00004000 fd:01 10852                      /usr/lib64/python2.7/lib-dynload/zlibmodule.so
7f86aab9d000-7f86aac1d000 rw-p 00000000 00:00 0
7f86aac1d000-7f86aac21000 r-xp 00000000 fd:01 10808                      /usr/lib64/python2.7/lib-dynload/_localemodule.so
7f86aac21000-7f86aae20000 ---p 00004000 fd:01 10808                      /usr/lib64/python2.7/lib-dynload/_localemodule.so
7f86aae20000-7f86aae21000 r--p 00003000 fd:01 10808                      /usr/lib64/python2.7/lib-dynload/_localemodule.so
7f86aae21000-7f86aae22000 rw-p 00004000 fd:01 10808                      /usr/lib64/python2.7/lib-dynload/_localemodule.so
7f86aae22000-7f86aae26000 r-xp 00000000 fd:01 5341                       /usr/lib64/libuuid.so.1.3.0
7f86aae26000-7f86ab025000 ---p 00004000 fd:01 5341                       /usr/lib64/libuuid.so.1.3.0
7f86ab025000-7f86ab026000 r--p 00003000 fd:01 5341                       /usr/lib64/libuuid.so.1.3.0
7f86ab026000-7f86ab027000 rw-p 00004000 fd:01 5341                       /usr/lib64/libuuid.so.1.3.0
7f86ab027000-7f86ab02c000 r-xp 00000000 fd:01 10845                      /usr/lib64/python2.7/lib-dynload/stropmodule.so
7f86ab02c000-7f86ab22b000 ---p 00005000 fd:01 10845                      /usr/lib64/python2.7/lib-dynload/stropmodule.so
7f86ab22b000-7f86ab22c000 r--p 00004000 fd:01 10845                      /usr/lib64/python2.7/lib-dynload/stropmodule.so
7f86ab22c000-7f86ab22e000 rw-p 00005000 fd:01 10845                      /usr/lib64/python2.7/lib-dynload/stropmodule.so
7f86ab22e000-7f86ab32e000 rw-p 00000000 00:00 0
7f86ab32e000-7f86ab341000 r-xp 00000000 fd:01 36563                      /usr/lib64/python2.7/lib-dynload/_ssl.so
7f86ab341000-7f86ab540000 ---p 00013000 fd:01 36563                      /usr/lib64/python2.7/lib-dynload/_ssl.so
7f86ab540000-7f86ab541000 r--p 00012000 fd:01 36563                      /usr/lib64/python2.7/lib-dynload/_ssl.so
7f86ab541000-7f86ab545000 rw-p 00013000 fd:01 36563                      /usr/lib64/python2.7/lib-dynload/_ssl.so
7f86ab545000-7f86ab548000 r-xp 00000000 fd:01 36555                      /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7f86ab548000-7f86ab747000 ---p 00003000 fd:01 36555                      /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7f86ab747000-7f86ab748000 r--p 00002000 fd:01 36555                      /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7f86ab748000-7f86ab749000 rw-p 00003000 fd:01 36555                      /usr/lib64/python2.7/lib-dynload/_functoolsmodule.so
7f86ab749000-7f86ab758000 r-xp 00000000 fd:01 36561                      /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7f86ab758000-7f86ab957000 ---p 0000f000 fd:01 36561                      /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7f86ab957000-7f86ab958000 r--p 0000e000 fd:01 36561                      /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7f86ab958000-7f86ab95d000 rw-p 0000f000 fd:01 36561                      /usr/lib64/python2.7/lib-dynload/_socketmodule.so
7f86ab95d000-7f86ab9dd000 rw-p 00000000 00:00 0
7f86ab9dd000-7f86ab9e0000 r-xp 00000000 fd:01 10812                      /usr/lib64/python2.7/lib-dynload/_randommodule.so
7f86ab9e0000-7f86abbdf000 ---p 00003000 fd:01 10812                      /usr/lib64/python2.7/lib-dynload/_randommodule.so
7f86abbdf000-7f86abbe0000 r--p 00002000 fd:01 10812                      /usr/lib64/python2.7/lib-dynload/_randommodule.so
7f86abbe0000-7f86abbe1000 rw-p 00003000 fd:01 10812                      /usr/lib64/python2.7/lib-dynload/_randommodule.so
7f86abbe1000-7f86abc41000 r-xp 00000000 fd:01 5186                       /usr/lib64/libpcre.so.1.2.0
7f86abc41000-7f86abe41000 ---p 00060000 fd:01 5186                       /usr/lib64/libpcre.so.1.2.0
7f86abe41000-7f86abe42000 r--p 00060000 fd:01 5186                       /usr/lib64/libpcre.so.1.2.0
7f86abe42000-7f86abe43000 rw-p 00061000 fd:01 5186                       /usr/lib64/libpcre.so.1.2.0
7f86abe43000-7f86abe67000 r-xp 00000000 fd:01 5338                       /usr/lib64/libselinux.so.1
7f86abe67000-7f86ac066000 ---p 00024000 fd:01 5338                       /usr/lib64/libselinux.so.1
7f86ac066000-7f86ac067000 r--p 00023000 fd:01 5338                       /usr/lib64/libselinux.so.1
7f86ac067000-7f86ac068000 rw-p 00024000 fd:01 5338                       /usr/lib64/libselinux.so.1
7f86ac068000-7f86ac06a000 rw-p 00000000 00:00 0
7f86ac06a000-7f86ac080000 r-xp 00000000 fd:01 14826                      /usr/lib64/libresolv-2.17.so
7f86ac080000-7f86ac27f000 ---p 00016000 fd:01 14826                      /usr/lib64/libresolv-2.17.so
7f86ac27f000-7f86ac280000 r--p 00015000 fd:01 14826                      /usr/lib64/libresolv-2.17.so
7f86ac280000-7f86ac281000 rw-p 00016000 fd:01 14826                      /usr/lib64/libresolv-2.17.so
7f86ac281000-7f86ac283000 rw-p 00000000 00:00 0
7f86ac283000-7f86ac286000 r-xp 00000000 fd:01 6581                       /usr/lib64/libkeyutils.so.1.5
7f86ac286000-7f86ac485000 ---p 00003000 fd:01 6581                       /usr/lib64/libkeyutils.so.1.5
7f86ac485000-7f86ac486000 r--p 00002000 fd:01 6581                       /usr/lib64/libkeyutils.so.1.5
7f86ac486000-7f86ac487000 rw-p 00003000 fd:01 6581                       /usr/lib64/libkeyutils.so.1.5
7f86ac487000-7f86ac495000 r-xp 00000000 fd:01 14878                      /usr/lib64/libkrb5support.so.0.1
7f86ac495000-7f86ac695000 ---p 0000e000 fd:01 14878                      /usr/lib64/libkrb5support.so.0.1
7f86ac695000-7f86ac696000 r--p 0000e000 fd:01 14878                      /usr/lib64/libkrb5support.so.0.1
7f86ac696000-7f86ac697000 rw-p 0000f000 fd:01 14878                      /usr/lib64/libkrb5support.so.0.1
7f86ac697000-7f86ac6ac000 r-xp 00000000 fd:01 5321                       /usr/lib64/libz.so.1.2.7
7f86ac6ac000-7f86ac8ab000 ---p 00015000 fd:01 5321                       /usr/lib64/libz.so.1.2.7
7f86ac8ab000-7f86ac8ac000 r--p 00014000 fd:01 5321                       /usr/lib64/libz.so.1.2.7
7f86ac8ac000-7f86ac8ad000 rw-p 00015000 fd:01 5321                       /usr/lib64/libz.so.1.2.7
7f86ac8ad000-7f86ac8de000 r-xp 00000000 fd:01 8203                       /usr/lib64/libk5crypto.so.3.1
7f86ac8de000-7f86acadd000 ---p 00031000 fd:01 8203                       /usr/lib64/libk5crypto.so.3.1
7f86acadd000-7f86acadf000 r--p 00030000 fd:01 8203                       /usr/lib64/libk5crypto.so.3.1
7f86acadf000-7f86acae0000 rw-p 00032000 fd:01 8203                       /usr/lib64/libk5crypto.so.3.1
7f86acae0000-7f86acae3000 r-xp 00000000 fd:01 5552                       /usr/lib64/libcom_err.so.2.1
7f86b13af000-7f86b13be000 rw-p 00000000 00:00 0
7f86b13be000-7f86b13e0000 r-xp 00000000 fd:01 4815                       /usr/lib64/ld-2.17.so
7f86b141c000-7f86b14dc000 rw-p 00000000 00:00 0
7f86b150d000-7f86b15d2000 rw-p 00000000 00:00 0
7f86b15de000-7f86b15df000 rw-p 00000000 00:00 0
7f86b15df000-7f86b15e0000 r--p 00021000 fd:01 4815                       /usr/lib64/ld-2.17.so
7f86b15e0000-7f86b15e1000 rw-p 00022000 fd:01 4815                       /usr/lib64/ld-2.17.so
7f86b15e1000-7f86b15e2000 rw-p 00000000 00:00 0
7ffc1198c000-7ffc119ad000 rw-p 00000000 00:00 0                          [stack]
7ffc119ef000-7ffc119f1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

i delete  half of it because its realy big


so what should i do?
its come to me like every hour....

Regards

Offline
*
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #3 on: March 01, 2019, 11:49:26 PM »
hello again
I'm sorry but really i need your help...

also i did
"
exe:/usr/bin/perl
user:Netdata
cmd:/usr/sbin/Netdata
"
didn't work

I read on another topic this answer:
"
You can whitelist your PHP script by adding full path in below file, or you can also add user to ignore files in ownership of a particular user.

    /etc/csf/csf.fignore

"

how to do that
thanks
« Last Edit: March 02, 2019, 12:05:27 AM by Mighty Dr.Wolf »

Offline
*
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #4 on: March 02, 2019, 02:35:28 AM »
thank god, its finish  8)

i just did 2 things
but i think one of them it's correct

the first
i add to /etc/csf/csf.pignore
Code: [Select]
exe:/usr/bin/python2.7

the second
from cwp >security>csf firwall>firwall configuration
and i search for: PT_USERPROC =

i found it 10 and i change it to 0
and finish

i dont know its correct or not
but now no notification no more

if what i did correct tell me please, and if its not tell to correct what i did

thanks
Regards

Offline
***
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #5 on: March 03, 2019, 03:36:28 AM »
(...)
the second
from cwp >security>csf firwall>firwall configuration
and i search for: PT_USERPROC =

i found it 10 and i change it to 0
and finish
(...)

You disabled that feature, I would not recommend to you to do that.

Too, seems you don't have a 'Netdata' user, but instead a 'netdata' user. The case letter is a important difference.
I would try first that inclusion to file 'csf.pignore' with:
Code: [Select]
exe:/usr/bin/python2.7
user:netdata
cmd:netdata

IMPORTANT: Don't list the paths to "cmd line (as would perl or php) as this will prevent detection of really suspicious web scripts.
Try to find the command line "cmd" by searching the /proc process structure.

Regards,
Netino
« Last Edit: March 03, 2019, 03:41:01 AM by Netino »

Offline
***
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #6 on: March 03, 2019, 09:32:47 PM »
Sorry, still is incomplete.
As per your mail message, you could try to use:
Code: [Select]
exe:/usr/bin/python2.7
user:netdata
cmd:/usr/bin/python /usr/libexec/netdata/plugins.d/python.d.plugin 1

This should properly ignore all python processes executing that specific file.

If your netdata command line is not like above, another thing you could try is the argumento to "pcmd" too:

pcmd:*/usr/libexec/netdata/plugins.d/python.d.plugin 1

This will ignore all commands ending in the path of the file, which includes python processes.
Like in:
Code: [Select]
exe:/usr/bin/python2.7
user:netdata
pcmd:*/usr/libexec/netdata/plugins.d/python.d.plugin 1

So, if it is invoked as "/usr/bin/python2.7" or instead as "/usr/bin/python" (or yet any other), is indifferent, this command could to target them.

And don't forget to restart csf:
Code: [Select]
# csf -x; csf -e
« Last Edit: March 03, 2019, 09:37:01 PM by Netino »

Offline
*
Re: lfd on SERVERName : Suspicious process running under user netdata
« Reply #7 on: March 04, 2019, 05:22:42 PM »
Thank you so much
I tried this one only
Code: [Select]

exe:/usr/bin/python2.7
user:netdata
cmd:/usr/bin/python /usr/libexec/netdata/plugins.d/python.d.plugin 1/code]


And worked will

I appreciate your help
Thank you
Regards