Author Topic: [ask] email "Suspicious process running under user mysql", what should I do?  (Read 9886 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Hello,

I have an email from root said "Suspicious process running under user mysql".
What should I do?

Email Content are included in footer.

Thanks,

Asrof
--------------------
email content
---------------
Time:    Tue Apr 14 02:32:44 2015 -0400
PID:     1099 (Parent PID:996)
Account: mysql
Uptime:  3721 seconds


Executable:

/usr/libexec/mysqld


Command Line (often faked in exploits):

/usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/lib/mysql/mysql.sock


Network connections by the process (if any):

tcp: 0.0.0.0:3306 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/var/log/mysqld.log
/var/log/mysqld.log
/var/lib/mysql/ibdata1
/tmp/ib5dnV0Y (deleted)
/tmp/ibsDv0Pq (deleted)
/tmp/ibL7V5ES (deleted)
/tmp/ibqAyBvk (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/ibLs6RpM (deleted)
/var/lib/mysql/kumpula_wp/wp_usermeta.MYI
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYI
/var/lib/mysql/kumpula_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_postmeta.MYI
/var/lib/mysql/sentrata_wp/wp_postmeta.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYI
/var/lib/mysql/postfix/mailbox.MYI
/var/lib/mysql/postfix/mailbox.MYD
/var/lib/mysql/kumpula_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYI
/var/lib/mysql/talentvi_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYI
/var/lib/mysql/kumpula_wp/wp_postmeta.MYD
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYI
/var/lib/mysql/indoisla_wp/wp_options.MYD
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYI
/var/lib/mysql/indoisla_wp/wp_mobilepress.MYD
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYI
/var/lib/mysql/rajapana_wp/wp_commentmeta.MYD
/var/lib/mysql/indoisla_wp/wp_terms.MYI
/var/lib/mysql/indoisla_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_term_taxonomy.MYD
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYI
/var/lib/mysql/indoisla_wp/wp_term_relationships.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYI
/var/lib/mysql/indoisla_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYI
/var/lib/mysql/talentvi_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYI
/var/lib/mysql/talentvi_wp/wp_mobilepress.MYD
/var/lib/mysql/indoisla_wp/wp_users.MYI
/var/lib/mysql/indoisla_wp/wp_users.MYD
/var/lib/mysql/indoisla_wp/wp_usermeta.MYI
/var/lib/mysql/indoisla_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_options.MYI
/var/lib/mysql/asrofiwe_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_links.MYD
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYI
/var/lib/mysql/asrofiwe_wp/wp_blc_instances.MYD
/var/lib/mysql/asrofiwe_wp/wp_posts.MYI
/var/lib/mysql/asrofiwe_wp/wp_posts.MYD
/var/lib/mysql/asrofiwe_wp/wp_terms.MYI
/var/lib/mysql/asrofiwe_wp/wp_terms.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_taxonomy.MYD
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYI
/var/lib/mysql/asrofiwe_wp/wp_term_relationships.MYD
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_postmeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_users.MYI
/var/lib/mysql/asrofiwe_wp/wp_users.MYD
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYI
/var/lib/mysql/asrofiwe_wp/wp_usermeta.MYD
/var/lib/mysql/asrofiwe_wp/wp_links.MYI
/var/lib/mysql/asrofiwe_wp/wp_links.MYD
/var/lib/mysql/postfix/alias.MYI
/var/lib/mysql/postfix/alias.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYI
/var/lib/mysql/postfix/domain.MYI
/var/lib/mysql/postfix/domain.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYI
/var/lib/mysql/kumpula_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYI
/var/lib/mysql/kumpula_wp/wp_term_relationships.MYD
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kumpula_wp/wp_term_taxonomy.MYD
/var/lib/mysql/kumpula_wp/wp_users.MYI
/var/lib/mysql/kumpula_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_usermeta.MYD
/var/lib/mysql/talentvi_wp/wp_ratings.MYD
/var/lib/mysql/talentvi_wp/wp_usermeta.MYD
/var/lib/mysql/sentrata_wp/wp_options.MYI
/var/lib/mysql/sentrata_wp/wp_options.MYD
/var/lib/mysql/sentrata_wp/wp_posts.MYI
/var/lib/mysql/sentrata_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_users.MYD
/var/lib/mysql/sentrata_wp/wp_term_taxonomy.MYD
/var/lib/mysql/sentrata_wp/wp_terms.MYI
/var/lib/mysql/sentrata_wp/wp_terms.MYD
/var/lib/mysql/talentvi_wp/wp_postmeta.MYI
/var/lib/mysql/talentvi_wp/wp_postmeta.MYD
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYI
/var/lib/mysql/sentrata_wp/wp_term_relationships.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYI
/var/lib/mysql/indoisla_wp/wp_comments.MYD
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYI
/var/lib/mysql/kendalh2_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_comments.MYI
/var/lib/mysql/kendalh2_wp/wp_comments.MYD
/var/lib/mysql/talentvi_wp/wp_options.MYI
/var/lib/mysql/talentvi_wp/wp_options.MYD
/var/lib/mysql/kendalh2_wp/wp_posts.MYI
/var/lib/mysql/kendalh2_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_posts.MYD
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_terms.MYD
/var/lib/mysql/indoisla_wp/wp_posts.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYI
/var/lib/mysql/kendalh2_wp/wp_term_relationships.MYD
/var/lib/mysql/kendalh2_wp/wp_options.MYI
/var/lib/mysql/kendalh2_wp/wp_options.MYD
/var/lib/mysql/asrofiwe_wp/wp_comments.MYI
/var/lib/mysql/asrofiwe_wp/wp_comments.MYD
/var/lib/mysql/indoisla_wp/wp_postmeta.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYI
/var/lib/mysql/kendalh2_wp/wp_users.MYD
/var/lib/mysql/kendalh2_wp/wp_term_taxonomy.MYD
/var/lib/mysql/talentvi_wp/wp_terms.MYD
/var/lib/mysql/rajapana_wp/wp_options.MYI
/var/lib/mysql/rajapana_wp/wp_options.MYD
/var/lib/mysql/talentvi_wp/wp_term_relationships.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYI
/var/lib/mysql/kumpula_wp/wp_comments.MYD
/var/lib/mysql/rajapana_wp/wp_posts.MYD
/var/lib/mysql/sentrata_wp/wp_users.MYD

CSF is sending you notification emails.

Offline
***
Add this line to   /etc/csf/csf.pignore
You can use this command :  nano /etc/csf/csf.pignore  , then Ctrl-X , Y (to save file)

Quote
user:root
user:named
user:apache
user:ntp
user:dbus
user:smmsp
user:postfix
user:www-data
user:dovecot
user:daemon
user:sync
user:admin
user:nobody
user:rpm
user:diradmin
user:mysql
user:webapps
user:majordomo
user:mail
user:exim
user:sshd
user:webalizer
user:mgmt
user:qmaill
user:qmailr
user:qmailq
user:mailman
user:qmails
user:qmaild
user:haldaemon
Note: you can remove the user which is not exist , this is just a common list of users
« Last Edit: July 29, 2016, 07:02:48 AM by locvfx »