Control Web Panel
WebPanel => MySQL => Topic started by: asrof_id on April 14, 2015, 07:20:23 AM
-
Hello,
I have an email from root said "Suspicious process running under user mysql".
What should I do?
Email Content are included in footer.
Thanks,
Asrof
--------------------
email content
---------------
Time: Tue Apr 14 02:32:44 2015 -0400
PID: 1099 (Parent PID:996)
Account: mysql
Uptime: 3721 seconds
Executable:
/usr/libexec/mysqld
Command Line (often faked in exploits):
/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock
Network connections by the process (if any):
tcp: 0.0.0.0:3306 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/var/log/mysqld.log
/var/log/mysqld.log
/var/lib/mysql/ibdata1
/tmp/ib5dnV0Y (deleted)
/tmp/ibsDv0Pq (deleted)
/tmp/ibL7V5ES (deleted)
/tmp/ibqAyBvk (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/ibLs6RpM (deleted)
/var/lib/mysql/kumpula_wp/wp_usermeta.MYI
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_postmeta.MYI
/var/lib/mysql/sentrata_wp/wp_postmeta.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYI
/var/lib/mysql/postfix/mailbox.MYI
/var/lib/mysql/postfix/mailbox.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYI
/var/lib/mysql/talentvi_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYD
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYD
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYI
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYD
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYI
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYD
/var/lib/mysql/indoisla_wp/wp_terms.MYI
/var/lib/mysql/indoisla_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYD
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYI
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYI
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYD
/var/lib/mysql/indoisla_wp/wp_users.MYI
/var/lib/mysql/indoisla_wp/wp_users.MYD
/var/lib/mysql/indoisla_wp/wp_usermeta.MYI
/var/lib/mysql/indoisla_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_options.MYI
/var/lib/mysql/asrofiwe_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYD
/var/lib/mysql/asrofiwe_wp/wp_posts.MYI
/var/lib/mysql/asrofiwe_wp/wp_posts.MYD
/var/lib/mysql/asrofiwe_wp/wp_terms.MYI
/var/lib/mysql/asrofiwe_wp/wp_terms.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYD
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_users.MYI
/var/lib/mysql/asrofiwe_wp/wp_users.MYD
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_links.MYD
/var/lib/mysql/postfix/alias.MYI
/var/lib/mysql/postfix/alias.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYI
/var/lib/mysql/postfix/domain.MYI
/var/lib/mysql/postfix/domain.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYD
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYD
/var/lib/mysql/kumpula_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_options.MYI
/var/lib/mysql/sentrata_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_posts.MYI
/var/lib/mysql/sentrata_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYD
/var/lib/mysql/sentrata_wp/wp_terms.MYI
/var/lib/mysql/sentrata_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_postmeta.MYI
/var/lib/mysql/talentvi_wp/wp_postmeta.MYD
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYI
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYD
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYI
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_comments.MYI
/var/lib/mysql/kendalh2_wp/wp_comments.MYD
/var/lib/mysql/talentvi_wp/wp_options.MYI
/var/lib/mysql/talentvi_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_posts.MYI
/var/lib/mysql/kendalh2_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYD
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYD
/var/lib/mysql/kendalh2_wp/wp_options.MYI
/var/lib/mysql/kendalh2_wp/wp_options.MYD
/var/lib/mysql/asrofiwe_wp/wp_comments.MYI
/var/lib/mysql/asrofiwe_wp/wp_comments.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYD
/var/lib/mysql/rajapana_wp/wp_options.MYI
/var/lib/mysql/rajapana_wp/wp_options.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYD
-
CSF is sending you notification emails.
-
Add this line to /etc/csf/csf.pignore
You can use this command : nano /etc/csf/csf.pignore , then Ctrl-X , Y (to save file)
user:root
user:named
user:apache
user:ntp
user:dbus
user:smmsp
user:postfix
user:www-data
user:dovecot
user:daemon
user:sync
user:admin
user:nobody
user:rpm
user:diradmin
user:mysql
user:webapps
user:majordomo
user:mail
user:exim
user:sshd
user:webalizer
user:mgmt
user:qmaill
user:qmailr
user:qmailq
user:mailman
user:qmails
user:qmaild
user:haldaemon
Note: you can remove the user which is not exist , this is just a common list of users