Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
61
How to / Re: how to secure CentOS server using CWP features
« on: April 14, 2015, 09:49:48 AM »
After doing those 3 steps I am getting many emails from root:
these are two exemples.
(1) email one
------------------------------
subject : Suspicious File Alert
--
email content:
Time: Tue Apr 14 05:40:45 2015 -0400
File: /tmp/apache-build/apr-util-1.5.3/xml/expat/conftools/mkinstalldirs
Reason: Script, starts with #!
Owner: : (1000:1000)
Action: No action taken
(2) email two
---------------
subject : Suspicious process running under user postfix
email content:
Time: Tue Apr 14 05:46:41 2015 -0400
PID: 6817 (Parent PID:1209)
Account: postfix
Uptime: 61 seconds
Executable:
/usr/libexec/postfix/smtpd
Command Line (often faked in exploits):
smtpd -n smtp -t inet -u -o stress=
Network connections by the process (if any):
tcp: 0.0.0.0:25 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/inet.smtp
[eventpoll]
/etc/aliases.db
/etc/aliases.db
Memory maps by the process (if any):
001ee000-00203000 r-xp 00000000 fc:01 1185576 /lib/libresolv-2.12.so
00203000-00204000 ---p 00015000 fc:01 1185576 /lib/libresolv-2.12.so
00204000-00205000 r--p 00015000 fc:01 1185576 /lib/libresolv-2.12.so
00205000-00206000 rw-p 00016000 fc:01 1185576 /lib/libresolv-2.12.so
00206000-00208000 rw-p 00000000 00:00 0
00208000-0020c000 r-xp 00000000 fc:01 1185581 /lib/libplc4.so
0020c000-0020d000 r--p 00003000 fc:01 1185581 /lib/libplc4.so
0020d000-0020e000 rw-p 00004000 fc:01 1185581 /lib/libplc4.so
0020e000-00211000 r-xp 00000000 fc:01 1185567 /lib/libdl-2.12.so
00211000-00212000 r--p 00002000 fc:01 1185567 /lib/libdl-2.12.so
00212000-00213000 rw-p 00003000 fc:01 1185567 /lib/libdl-2.12.so
00213000-00216000 r-xp 00000000 fc:01 1185465 /lib/libcom_err.so.2.1
00216000-00217000 r--p 00002000 fc:01 1185465 /lib/libcom_err.so.2.1
00217000-00218000 rw-p 00003000 fc:01 1185465 /lib/libcom_err.so.2.1
0021a000-00231000 r-xp 00000000 fc:01 1185571 /lib/libnsl-2.12.so
00231000-00232000 r--p 00016000 fc:01 1185571 /lib/libnsl-2.12.so
00232000-00233000 rw-p 00017000 fc:01 1185571 /lib/libnsl-2.12.so
00233000-00235000 rw-p 00000000 00:00 0
00235000-00247000 r-xp 00000000 fc:01 1185147 /lib/libz.so.1.2.3
00247000-00248000 r--p 00011000 fc:01 1185147 /lib/libz.so.1.2.3
00248000-00249000 rw-p 00012000 fc:01 1185147 /lib/libz.so.1.2.3
00249000-00256000 r-xp 00000000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00256000-00257000 r--p 0000d000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00257000-00258000 rw-p 0000e000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00258000-002b9000 r-xp 00000000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002b9000-002bb000 r--p 00061000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002bb000-002bf000 rw-p 00063000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002bf000-002fa000 r-xp 00000000 fc:01 263153 /usr/lib/libssl3.so
002fa000-002fb000 ---p 0003b000 fc:01 263153 /usr/lib/libssl3.so
002fb000-002fd000 r--p 0003b000 fc:01 263153 /usr/lib/libssl3.so
002fd000-002fe000 rw-p 0003d000 fc:01 263153 /usr/lib/libssl3.so
002fe000-00326000 r-xp 00000000 fc:01 262860 /usr/lib/libsmime3.so
00326000-00328000 r--p 00028000 fc:01 262860 /usr/lib/libsmime3.so
00328000-00329000 rw-p 0002a000 fc:01 262860 /usr/lib/libsmime3.so
00329000-0034a000 r-xp 00000000 fc:01 262906 /usr/lib/libnssutil3.so
0034a000-0034d000 r--p 00021000 fc:01 262906 /usr/lib/libnssutil3.so
0034d000-0034e000 rw-p 00024000 fc:01 262906 /usr/lib/libnssutil3.so
0034e000-00350000 r-xp 00000000 fc:01 1185437 /lib/libfreebl3.so
00350000-00351000 r--p 00001000 fc:01 1185437 /lib/libfreebl3.so
00351000-00352000 rw-p 00002000 fc:01 1185437 /lib/libfreebl3.so
00352000-00353000 r-xp 00000000 00:00 0 [vdso]
00353000-00481000 r-xp 00000000 fc:01 265142 /usr/lib/mysql/libmysqlclient.so.16.0.0
00481000-004c9000 rw-p 0012d000 fc:01 265142 /usr/lib/mysql/libmysqlclient.so.16.0.0
004c9000-004d0000 r-xp 00000000 fc:01 1185577 /lib/librt-2.12.so
004d0000-004d1000 r--p 00006000 fc:01 1185577 /lib/librt-2.12.so
004d1000-004d2000 rw-p 00007000 fc:01 1185577 /lib/librt-2.12.so
004d2000-004dc000 r-xp 00000000 fc:01 1180545 /lib/libkrb5support.so.0.1
004dc000-004dd000 r--p 00009000 fc:01 1180545 /lib/libkrb5support.so.0.1
004dd000-004de000 rw-p 0000a000 fc:01 1180545 /lib/libkrb5support.so.0.1
004e1000-00509000 r-xp 00000000 fc:01 1185569 /lib/libm-2.12.so
00509000-0050a000 r--p 00027000 fc:01 1185569 /lib/libm-2.12.so
0050a000-0050b000 rw-p 00028000 fc:01 1185569 /lib/libm-2.12.so
0050b000-00545000 r-xp 00000000 fc:01 1185580 /lib/libnspr4.so
00545000-00546000 r--p 00039000 fc:01 1185580 /lib/libnspr4.so
00546000-00547000 rw-p 0003a000 fc:01 1185580 /lib/libnspr4.so
00547000-00549000 rw-p 00000000 00:00 0
00549000-00587000 r-xp 00000000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00587000-00588000 r--p 0003e000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00588000-00589000 rw-p 0003f000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00589000-005a0000 r-xp 00000000 fc:01 1185176 /lib/libpthread-2.12.so
005a0000-005a1000 r--p 00016000 fc:01 1185176 /lib/libpthread-2.12.so
005a1000-005a2000 rw-p 00017000 fc:01 1185176 /lib/libpthread-2.12.so
005a2000-005a4000 rw-p 00000000 00:00 0
005a4000-005bd000 r-xp 00000000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005bd000-005be000 r--p 00018000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005be000-005bf000 rw-p 00019000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005bf000-005c1000 r-xp 00000000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c1000-005c2000 r--p 00001000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c2000-005c3000 rw-p 00002000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c3000-005c8000 r-xp 00000000 fc:01 1185466 /lib/libnss_dns-2.12.so
005c8000-005c9000 r--p 00004000 fc:01 1185466 /lib/libnss_dns-2.12.so
005c9000-005ca000 rw-p 00005000 fc:01 1185466 /lib/libnss_dns-2.12.so
005d0000-005ee000 r-xp 00000000 fc:01 1185511 /lib/ld-2.12.so
005ee000-005ef000 r--p 0001d000 fc:01 1185511 /lib/ld-2.12.so
005ef000-005f0000 rw-p 0001e000 fc:01 1185511 /lib/ld-2.12.so
005f0000-00618000 r-xp 00000000 fc:01 1179660 /lib/libk5crypto.so.3.1
00618000-00619000 r--p 00028000 fc:01 1179660 /lib/libk5crypto.so.3.1
00619000-0061a000 rw-p 00029000 fc:01 1179660 /lib/libk5crypto.so.3.1
0061a000-0061b000 rw-p 00000000 00:00 0
0061b000-00627000 r-xp 00000000 fc:01 1185574 /lib/libnss_files-2.12.so
00627000-00628000 r--p 0000b000 fc:01 1185574 /lib/libnss_files-2.12.so
00628000-00629000 rw-p 0000c000 fc:01 1185574 /lib/libnss_files-2.12.so
00631000-00660000 r-xp 00000000 fc:01 1185522 /lib/libpcre.so.0.0.1
00660000-00661000 rw-p 0002e000 fc:01 1185522 /lib/libpcre.so.0.0.1
00661000-0080f000 r-xp 00000000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
0080f000-0081f000 r--p 001ad000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
0081f000-00826000 rw-p 001bd000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
00826000-00829000 rw-p 00000000 00:00 0
00829000-009b9000 r-xp 00000000 fc:01 1179784 /lib/libc-2.12.so
009b9000-009ba000 ---p 00190000 fc:01 1179784 /lib/libc-2.12.so
009ba000-009bc000 r--p 00190000 fc:01 1179784 /lib/libc-2.12.so
009bc000-009bd000 rw-p 00192000 fc:01 1179784 /lib/libc-2.12.so
009bd000-009c0000 rw-p 00000000 00:00 0
009c0000-009dd000 r-xp 00000000 fc:01 1185463 /lib/libselinux.so.1
009dd000-009de000 r--p 0001c000 fc:01 1185463 /lib/libselinux.so.1
009de000-009df000 rw-p 0001d000 fc:01 1185463 /lib/libselinux.so.1
009f8000-009ff000 r-xp 00000000 fc:01 1185449 /lib/libcrypt-2.12.so
009ff000-00a00000 r--p 00007000 fc:01 1185449 /lib/libcrypt-2.12.so
00a00000-00a01000 rw-p 00008000 fc:01 1185449 /lib/libcrypt-2.12.so
00a01000-00a28000 rw-p 00000000 00:00 0
00a42000-00bb5000 r-xp 00000000 fc:01 1185478 /lib/libdb-4.7.so
00bb5000-00bb8000 rw-p 00172000 fc:01 1185478 /lib/libdb-4.7.so
00c8a000-00d02000 r-xp 00000000 fc:01 399243 /usr/libexec/postfix/smtpd
00d03000-00d06000 r--p 00078000 fc:01 399243 /usr/libexec/postfix/smtpd
00d06000-00d07000 rw-p 0007b000 fc:01 399243 /usr/libexec/postfix/smtpd
00d07000-00d09000 rw-p 00000000 00:00 0
00d09000-00e41000 r-xp 00000000 fc:01 262858 /usr/lib/libnss3.so
00e41000-00e44000 r--p 00138000 fc:01 262858 /usr/lib/libnss3.so
00e44000-00e46000 rw-p 0013b000 fc:01 262858 /usr/lib/libnss3.so
00e80000-00e83000 r-xp 00000000 fc:01 1185582 /lib/libplds4.so
00e83000-00e84000 r--p 00002000 fc:01 1185582 /lib/libplds4.so
00e84000-00e85000 rw-p 00003000 fc:01 1185582 /lib/libplds4.so
00ef8000-00f47000 r-xp 00000000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f47000-00f48000 r--p 0004f000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f48000-00f49000 rw-p 00050000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f49000-0101f000 r-xp 00000000 fc:01 1179801 /lib/libkrb5.so.3.3
0101f000-01025000 r--p 000d5000 fc:01 1179801 /lib/libkrb5.so.3.3
01025000-01026000 rw-p 000db000 fc:01 1179801 /lib/libkrb5.so.3.3
02a94000-02c40000 rw-p 00000000 00:00 0 [heap]
b77a3000-b77d3000 rw-p 00000000 00:00 0
b77d9000-b77da000 rw-p 00000000 00:00 0
bf937000-bf94c000 rw-p 00000000 00:00 0 [stack]
these are two exemples.
(1) email one
------------------------------
subject : Suspicious File Alert
--
email content:
Time: Tue Apr 14 05:40:45 2015 -0400
File: /tmp/apache-build/apr-util-1.5.3/xml/expat/conftools/mkinstalldirs
Reason: Script, starts with #!
Owner: : (1000:1000)
Action: No action taken
(2) email two
---------------
subject : Suspicious process running under user postfix
email content:
Time: Tue Apr 14 05:46:41 2015 -0400
PID: 6817 (Parent PID:1209)
Account: postfix
Uptime: 61 seconds
Executable:
/usr/libexec/postfix/smtpd
Command Line (often faked in exploits):
smtpd -n smtp -t inet -u -o stress=
Network connections by the process (if any):
tcp: 0.0.0.0:25 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/inet.smtp
[eventpoll]
/etc/aliases.db
/etc/aliases.db
Memory maps by the process (if any):
001ee000-00203000 r-xp 00000000 fc:01 1185576 /lib/libresolv-2.12.so
00203000-00204000 ---p 00015000 fc:01 1185576 /lib/libresolv-2.12.so
00204000-00205000 r--p 00015000 fc:01 1185576 /lib/libresolv-2.12.so
00205000-00206000 rw-p 00016000 fc:01 1185576 /lib/libresolv-2.12.so
00206000-00208000 rw-p 00000000 00:00 0
00208000-0020c000 r-xp 00000000 fc:01 1185581 /lib/libplc4.so
0020c000-0020d000 r--p 00003000 fc:01 1185581 /lib/libplc4.so
0020d000-0020e000 rw-p 00004000 fc:01 1185581 /lib/libplc4.so
0020e000-00211000 r-xp 00000000 fc:01 1185567 /lib/libdl-2.12.so
00211000-00212000 r--p 00002000 fc:01 1185567 /lib/libdl-2.12.so
00212000-00213000 rw-p 00003000 fc:01 1185567 /lib/libdl-2.12.so
00213000-00216000 r-xp 00000000 fc:01 1185465 /lib/libcom_err.so.2.1
00216000-00217000 r--p 00002000 fc:01 1185465 /lib/libcom_err.so.2.1
00217000-00218000 rw-p 00003000 fc:01 1185465 /lib/libcom_err.so.2.1
0021a000-00231000 r-xp 00000000 fc:01 1185571 /lib/libnsl-2.12.so
00231000-00232000 r--p 00016000 fc:01 1185571 /lib/libnsl-2.12.so
00232000-00233000 rw-p 00017000 fc:01 1185571 /lib/libnsl-2.12.so
00233000-00235000 rw-p 00000000 00:00 0
00235000-00247000 r-xp 00000000 fc:01 1185147 /lib/libz.so.1.2.3
00247000-00248000 r--p 00011000 fc:01 1185147 /lib/libz.so.1.2.3
00248000-00249000 rw-p 00012000 fc:01 1185147 /lib/libz.so.1.2.3
00249000-00256000 r-xp 00000000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00256000-00257000 r--p 0000d000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00257000-00258000 rw-p 0000e000 fc:01 1185488 /lib/liblber-2.4.so.2.10.2
00258000-002b9000 r-xp 00000000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002b9000-002bb000 r--p 00061000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002bb000-002bf000 rw-p 00063000 fc:01 264142 /usr/lib/libssl.so.1.0.1e
002bf000-002fa000 r-xp 00000000 fc:01 263153 /usr/lib/libssl3.so
002fa000-002fb000 ---p 0003b000 fc:01 263153 /usr/lib/libssl3.so
002fb000-002fd000 r--p 0003b000 fc:01 263153 /usr/lib/libssl3.so
002fd000-002fe000 rw-p 0003d000 fc:01 263153 /usr/lib/libssl3.so
002fe000-00326000 r-xp 00000000 fc:01 262860 /usr/lib/libsmime3.so
00326000-00328000 r--p 00028000 fc:01 262860 /usr/lib/libsmime3.so
00328000-00329000 rw-p 0002a000 fc:01 262860 /usr/lib/libsmime3.so
00329000-0034a000 r-xp 00000000 fc:01 262906 /usr/lib/libnssutil3.so
0034a000-0034d000 r--p 00021000 fc:01 262906 /usr/lib/libnssutil3.so
0034d000-0034e000 rw-p 00024000 fc:01 262906 /usr/lib/libnssutil3.so
0034e000-00350000 r-xp 00000000 fc:01 1185437 /lib/libfreebl3.so
00350000-00351000 r--p 00001000 fc:01 1185437 /lib/libfreebl3.so
00351000-00352000 rw-p 00002000 fc:01 1185437 /lib/libfreebl3.so
00352000-00353000 r-xp 00000000 00:00 0 [vdso]
00353000-00481000 r-xp 00000000 fc:01 265142 /usr/lib/mysql/libmysqlclient.so.16.0.0
00481000-004c9000 rw-p 0012d000 fc:01 265142 /usr/lib/mysql/libmysqlclient.so.16.0.0
004c9000-004d0000 r-xp 00000000 fc:01 1185577 /lib/librt-2.12.so
004d0000-004d1000 r--p 00006000 fc:01 1185577 /lib/librt-2.12.so
004d1000-004d2000 rw-p 00007000 fc:01 1185577 /lib/librt-2.12.so
004d2000-004dc000 r-xp 00000000 fc:01 1180545 /lib/libkrb5support.so.0.1
004dc000-004dd000 r--p 00009000 fc:01 1180545 /lib/libkrb5support.so.0.1
004dd000-004de000 rw-p 0000a000 fc:01 1180545 /lib/libkrb5support.so.0.1
004e1000-00509000 r-xp 00000000 fc:01 1185569 /lib/libm-2.12.so
00509000-0050a000 r--p 00027000 fc:01 1185569 /lib/libm-2.12.so
0050a000-0050b000 rw-p 00028000 fc:01 1185569 /lib/libm-2.12.so
0050b000-00545000 r-xp 00000000 fc:01 1185580 /lib/libnspr4.so
00545000-00546000 r--p 00039000 fc:01 1185580 /lib/libnspr4.so
00546000-00547000 rw-p 0003a000 fc:01 1185580 /lib/libnspr4.so
00547000-00549000 rw-p 00000000 00:00 0
00549000-00587000 r-xp 00000000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00587000-00588000 r--p 0003e000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00588000-00589000 rw-p 0003f000 fc:01 1185447 /lib/libgssapi_krb5.so.2.2
00589000-005a0000 r-xp 00000000 fc:01 1185176 /lib/libpthread-2.12.so
005a0000-005a1000 r--p 00016000 fc:01 1185176 /lib/libpthread-2.12.so
005a1000-005a2000 rw-p 00017000 fc:01 1185176 /lib/libpthread-2.12.so
005a2000-005a4000 rw-p 00000000 00:00 0
005a4000-005bd000 r-xp 00000000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005bd000-005be000 r--p 00018000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005be000-005bf000 rw-p 00019000 fc:01 262855 /usr/lib/libsasl2.so.2.0.23
005bf000-005c1000 r-xp 00000000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c1000-005c2000 r--p 00001000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c2000-005c3000 rw-p 00002000 fc:01 1180546 /lib/libkeyutils.so.1.3
005c3000-005c8000 r-xp 00000000 fc:01 1185466 /lib/libnss_dns-2.12.so
005c8000-005c9000 r--p 00004000 fc:01 1185466 /lib/libnss_dns-2.12.so
005c9000-005ca000 rw-p 00005000 fc:01 1185466 /lib/libnss_dns-2.12.so
005d0000-005ee000 r-xp 00000000 fc:01 1185511 /lib/ld-2.12.so
005ee000-005ef000 r--p 0001d000 fc:01 1185511 /lib/ld-2.12.so
005ef000-005f0000 rw-p 0001e000 fc:01 1185511 /lib/ld-2.12.so
005f0000-00618000 r-xp 00000000 fc:01 1179660 /lib/libk5crypto.so.3.1
00618000-00619000 r--p 00028000 fc:01 1179660 /lib/libk5crypto.so.3.1
00619000-0061a000 rw-p 00029000 fc:01 1179660 /lib/libk5crypto.so.3.1
0061a000-0061b000 rw-p 00000000 00:00 0
0061b000-00627000 r-xp 00000000 fc:01 1185574 /lib/libnss_files-2.12.so
00627000-00628000 r--p 0000b000 fc:01 1185574 /lib/libnss_files-2.12.so
00628000-00629000 rw-p 0000c000 fc:01 1185574 /lib/libnss_files-2.12.so
00631000-00660000 r-xp 00000000 fc:01 1185522 /lib/libpcre.so.0.0.1
00660000-00661000 rw-p 0002e000 fc:01 1185522 /lib/libpcre.so.0.0.1
00661000-0080f000 r-xp 00000000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
0080f000-0081f000 r--p 001ad000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
0081f000-00826000 rw-p 001bd000 fc:01 262811 /usr/lib/libcrypto.so.1.0.1e
00826000-00829000 rw-p 00000000 00:00 0
00829000-009b9000 r-xp 00000000 fc:01 1179784 /lib/libc-2.12.so
009b9000-009ba000 ---p 00190000 fc:01 1179784 /lib/libc-2.12.so
009ba000-009bc000 r--p 00190000 fc:01 1179784 /lib/libc-2.12.so
009bc000-009bd000 rw-p 00192000 fc:01 1179784 /lib/libc-2.12.so
009bd000-009c0000 rw-p 00000000 00:00 0
009c0000-009dd000 r-xp 00000000 fc:01 1185463 /lib/libselinux.so.1
009dd000-009de000 r--p 0001c000 fc:01 1185463 /lib/libselinux.so.1
009de000-009df000 rw-p 0001d000 fc:01 1185463 /lib/libselinux.so.1
009f8000-009ff000 r-xp 00000000 fc:01 1185449 /lib/libcrypt-2.12.so
009ff000-00a00000 r--p 00007000 fc:01 1185449 /lib/libcrypt-2.12.so
00a00000-00a01000 rw-p 00008000 fc:01 1185449 /lib/libcrypt-2.12.so
00a01000-00a28000 rw-p 00000000 00:00 0
00a42000-00bb5000 r-xp 00000000 fc:01 1185478 /lib/libdb-4.7.so
00bb5000-00bb8000 rw-p 00172000 fc:01 1185478 /lib/libdb-4.7.so
00c8a000-00d02000 r-xp 00000000 fc:01 399243 /usr/libexec/postfix/smtpd
00d03000-00d06000 r--p 00078000 fc:01 399243 /usr/libexec/postfix/smtpd
00d06000-00d07000 rw-p 0007b000 fc:01 399243 /usr/libexec/postfix/smtpd
00d07000-00d09000 rw-p 00000000 00:00 0
00d09000-00e41000 r-xp 00000000 fc:01 262858 /usr/lib/libnss3.so
00e41000-00e44000 r--p 00138000 fc:01 262858 /usr/lib/libnss3.so
00e44000-00e46000 rw-p 0013b000 fc:01 262858 /usr/lib/libnss3.so
00e80000-00e83000 r-xp 00000000 fc:01 1185582 /lib/libplds4.so
00e83000-00e84000 r--p 00002000 fc:01 1185582 /lib/libplds4.so
00e84000-00e85000 rw-p 00003000 fc:01 1185582 /lib/libplds4.so
00ef8000-00f47000 r-xp 00000000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f47000-00f48000 r--p 0004f000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f48000-00f49000 rw-p 00050000 fc:01 1185553 /lib/libldap-2.4.so.2.10.2
00f49000-0101f000 r-xp 00000000 fc:01 1179801 /lib/libkrb5.so.3.3
0101f000-01025000 r--p 000d5000 fc:01 1179801 /lib/libkrb5.so.3.3
01025000-01026000 rw-p 000db000 fc:01 1179801 /lib/libkrb5.so.3.3
02a94000-02c40000 rw-p 00000000 00:00 0 [heap]
b77a3000-b77d3000 rw-p 00000000 00:00 0
b77d9000-b77da000 rw-p 00000000 00:00 0
bf937000-bf94c000 rw-p 00000000 00:00 0 [stack]
62
MySQL / [ask] email "Suspicious process running under user mysql", what should I do?
« on: April 14, 2015, 07:20:23 AM »
Hello,
I have an email from root said "Suspicious process running under user mysql".
What should I do?
Email Content are included in footer.
Thanks,
Asrof
--------------------
email content
---------------
Time: Tue Apr 14 02:32:44 2015 -0400
PID: 1099 (Parent PID:996)
Account: mysql
Uptime: 3721 seconds
Executable:
/usr/libexec/mysqld
Command Line (often faked in exploits):
/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
Network connections by the process (if any):
tcp: 0.0.0.0:3306 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/var/log/mysqld.log
/var/log/mysqld.log
/var/lib/mysql/ibdata1
/tmp/ib5dnV0Y (deleted)
/tmp/ibsDv0Pq (deleted)
/tmp/ibL7V5ES (deleted)
/tmp/ibqAyBvk (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/ibLs6RpM (deleted)
/var/lib/mysql/kumpula_wp/wp_usermeta.MYI
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_postmeta.MYI
/var/lib/mysql/sentrata_wp/wp_postmeta.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYI
/var/lib/mysql/postfix/mailbox.MYI
/var/lib/mysql/postfix/mailbox.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYI
/var/lib/mysql/talentvi_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYD
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYD
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYI
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYD
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYI
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYD
/var/lib/mysql/indoisla_wp/wp_terms.MYI
/var/lib/mysql/indoisla_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYD
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYI
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYI
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYD
/var/lib/mysql/indoisla_wp/wp_users.MYI
/var/lib/mysql/indoisla_wp/wp_users.MYD
/var/lib/mysql/indoisla_wp/wp_usermeta.MYI
/var/lib/mysql/indoisla_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_options.MYI
/var/lib/mysql/asrofiwe_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYD
/var/lib/mysql/asrofiwe_wp/wp_posts.MYI
/var/lib/mysql/asrofiwe_wp/wp_posts.MYD
/var/lib/mysql/asrofiwe_wp/wp_terms.MYI
/var/lib/mysql/asrofiwe_wp/wp_terms.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYD
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_users.MYI
/var/lib/mysql/asrofiwe_wp/wp_users.MYD
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_links.MYD
/var/lib/mysql/postfix/alias.MYI
/var/lib/mysql/postfix/alias.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYI
/var/lib/mysql/postfix/domain.MYI
/var/lib/mysql/postfix/domain.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYD
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYD
/var/lib/mysql/kumpula_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_options.MYI
/var/lib/mysql/sentrata_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_posts.MYI
/var/lib/mysql/sentrata_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYD
/var/lib/mysql/sentrata_wp/wp_terms.MYI
/var/lib/mysql/sentrata_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_postmeta.MYI
/var/lib/mysql/talentvi_wp/wp_postmeta.MYD
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYI
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYD
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYI
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_comments.MYI
/var/lib/mysql/kendalh2_wp/wp_comments.MYD
/var/lib/mysql/talentvi_wp/wp_options.MYI
/var/lib/mysql/talentvi_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_posts.MYI
/var/lib/mysql/kendalh2_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYD
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYD
/var/lib/mysql/kendalh2_wp/wp_options.MYI
/var/lib/mysql/kendalh2_wp/wp_options.MYD
/var/lib/mysql/asrofiwe_wp/wp_comments.MYI
/var/lib/mysql/asrofiwe_wp/wp_comments.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYD
/var/lib/mysql/rajapana_wp/wp_options.MYI
/var/lib/mysql/rajapana_wp/wp_options.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYD
I have an email from root said "Suspicious process running under user mysql".
What should I do?
Email Content are included in footer.
Thanks,
Asrof
--------------------
email content
---------------
Time: Tue Apr 14 02:32:44 2015 -0400
PID: 1099 (Parent PID:996)
Account: mysql
Uptime: 3721 seconds
Executable:
/usr/libexec/mysqld
Command Line (often faked in exploits):
/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
Network connections by the process (if any):
tcp: 0.0.0.0:3306 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/var/log/mysqld.log
/var/log/mysqld.log
/var/lib/mysql/ibdata1
/tmp/ib5dnV0Y (deleted)
/tmp/ibsDv0Pq (deleted)
/tmp/ibL7V5ES (deleted)
/tmp/ibqAyBvk (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/ibLs6RpM (deleted)
/var/lib/mysql/kumpula_wp/wp_usermeta.MYI
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_postmeta.MYI
/var/lib/mysql/sentrata_wp/wp_postmeta.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYI
/var/lib/mysql/postfix/mailbox.MYI
/var/lib/mysql/postfix/mailbox.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYI
/var/lib/mysql/talentvi_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYD
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYD
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYI
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYD
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYI
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYD
/var/lib/mysql/indoisla_wp/wp_terms.MYI
/var/lib/mysql/indoisla_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYD
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYI
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYI
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYD
/var/lib/mysql/indoisla_wp/wp_users.MYI
/var/lib/mysql/indoisla_wp/wp_users.MYD
/var/lib/mysql/indoisla_wp/wp_usermeta.MYI
/var/lib/mysql/indoisla_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_options.MYI
/var/lib/mysql/asrofiwe_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYD
/var/lib/mysql/asrofiwe_wp/wp_posts.MYI
/var/lib/mysql/asrofiwe_wp/wp_posts.MYD
/var/lib/mysql/asrofiwe_wp/wp_terms.MYI
/var/lib/mysql/asrofiwe_wp/wp_terms.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYD
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_users.MYI
/var/lib/mysql/asrofiwe_wp/wp_users.MYD
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_links.MYD
/var/lib/mysql/postfix/alias.MYI
/var/lib/mysql/postfix/alias.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYI
/var/lib/mysql/postfix/domain.MYI
/var/lib/mysql/postfix/domain.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYD
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYD
/var/lib/mysql/kumpula_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_options.MYI
/var/lib/mysql/sentrata_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_posts.MYI
/var/lib/mysql/sentrata_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYD
/var/lib/mysql/sentrata_wp/wp_terms.MYI
/var/lib/mysql/sentrata_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_postmeta.MYI
/var/lib/mysql/talentvi_wp/wp_postmeta.MYD
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYI
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYD
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYI
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_comments.MYI
/var/lib/mysql/kendalh2_wp/wp_comments.MYD
/var/lib/mysql/talentvi_wp/wp_options.MYI
/var/lib/mysql/talentvi_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_posts.MYI
/var/lib/mysql/kendalh2_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYD
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYD
/var/lib/mysql/kendalh2_wp/wp_options.MYI
/var/lib/mysql/kendalh2_wp/wp_options.MYD
/var/lib/mysql/asrofiwe_wp/wp_comments.MYI
/var/lib/mysql/asrofiwe_wp/wp_comments.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYD
/var/lib/mysql/rajapana_wp/wp_options.MYI
/var/lib/mysql/rajapana_wp/wp_options.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYD
63
Suggestions / File Editor on File Manager
« on: April 13, 2015, 09:04:29 AM »
Hello,
I hope CWP could have file editor on it's file manager.
Thank you.
I hope CWP could have file editor on it's file manager.
Thank you.
