This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
E-Mail / Suspicious process running under user xxx
« on: July 04, 2022, 01:48:12 PM »
Hello, I need help, I have received several emails with the log below, can you help me to solve it?
Time: Mon Jul 4 00:12:09 2022 -0300
PID: 624 (Parent PID:2795)
Account: xxxx
Uptime: 71 seconds
Executable:
/usr/local/bin/php-cgi
Command Line (often faked in exploits):
/usr/local/bin/php-cgi /home/rdcaxias/public_html/portal/www/site/index.php
Network connections by the process (if any):
tcp: 127.0.0.1:51814 -> 127.0.0.1:11211
Files open by the process (if any):
/tmp/sess_l4fs8ot8ai0qrt6h9evuoc28p7
/home/rdcaxias/public_html/portal
Memory maps by the process (if any):
00400000-00e79000 r-xp 00000000 fd:00 482476 /usr/local/bin/php-cgi
01078000-01079000 r--p 00a78000 fd:00 482476 /usr/local/bin/php-cgi
01079000-0108b000 rw-p 00a79000 fd:00 482476 /usr/local/bin/php-cgi
0108b000-010b0000 rw-p 00000000 00:00 0
02c8f000-0360b000 rw-p 00000000 00:00 0 [heap]
7f2cedce4000-7f2cedd25000 rw-p 00000000 00:00 0
7f2cedd66000-7f2cee176000 rw-p 00000000 00:00 0
7f2cee176000-7f2cee17c000 r-xp 00000000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee17c000-7f2cee37b000 ---p 00006000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37b000-7f2cee37c000 r--p 00005000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37c000-7f2cee37d000 rw-p 00006000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37d000-7f2cee648000 rw-p 00000000 00:00 0
7f2cee648000-7f2cee654000 r-xp 00000000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee654000-7f2cee853000 ---p 0000c000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee853000-7f2cee854000 r--p 0000b000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee854000-7f2cee855000 rw-p 0000c000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee855000-7f2cee85b000 rw-p 00000000 00:00 0
7f2cee85b000-7f2cee869000 r-xp 00000000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2cee869000-7f2ceea68000 ---p 0000e000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea68000-7f2ceea69000 r--p 0000d000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea69000-7f2ceea6a000 rw-p 0000e000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea6a000-7f2ceea6c000 r-xp 00000000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceea6c000-7f2ceec6c000 ---p 00002000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6c000-7f2ceec6d000 r--p 00002000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6d000-7f2ceec6e000 rw-p 00003000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6e000-7f2ceec95000 r-xp 00000000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
7f2ceec95000-7f2ceee94000 ---p 00027000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
7f2ceee94000-7f2ceee95000 r--p 00026000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
Time: Mon Jul 4 00:12:09 2022 -0300
PID: 624 (Parent PID:2795)
Account: xxxx
Uptime: 71 seconds
Executable:
/usr/local/bin/php-cgi
Command Line (often faked in exploits):
/usr/local/bin/php-cgi /home/rdcaxias/public_html/portal/www/site/index.php
Network connections by the process (if any):
tcp: 127.0.0.1:51814 -> 127.0.0.1:11211
Files open by the process (if any):
/tmp/sess_l4fs8ot8ai0qrt6h9evuoc28p7
/home/rdcaxias/public_html/portal
Memory maps by the process (if any):
00400000-00e79000 r-xp 00000000 fd:00 482476 /usr/local/bin/php-cgi
01078000-01079000 r--p 00a78000 fd:00 482476 /usr/local/bin/php-cgi
01079000-0108b000 rw-p 00a79000 fd:00 482476 /usr/local/bin/php-cgi
0108b000-010b0000 rw-p 00000000 00:00 0
02c8f000-0360b000 rw-p 00000000 00:00 0 [heap]
7f2cedce4000-7f2cedd25000 rw-p 00000000 00:00 0
7f2cedd66000-7f2cee176000 rw-p 00000000 00:00 0
7f2cee176000-7f2cee17c000 r-xp 00000000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee17c000-7f2cee37b000 ---p 00006000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37b000-7f2cee37c000 r--p 00005000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37c000-7f2cee37d000 rw-p 00006000 fd:00 67116571 /usr/lib64/libnss_dns-2.17.so
7f2cee37d000-7f2cee648000 rw-p 00000000 00:00 0
7f2cee648000-7f2cee654000 r-xp 00000000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee654000-7f2cee853000 ---p 0000c000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee853000-7f2cee854000 r--p 0000b000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee854000-7f2cee855000 rw-p 0000c000 fd:00 67116573 /usr/lib64/libnss_files-2.17.so
7f2cee855000-7f2cee85b000 rw-p 00000000 00:00 0
7f2cee85b000-7f2cee869000 r-xp 00000000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2cee869000-7f2ceea68000 ---p 0000e000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea68000-7f2ceea69000 r--p 0000d000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea69000-7f2ceea6a000 rw-p 0000e000 fd:00 203894528 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea6a000-7f2ceea6c000 r-xp 00000000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceea6c000-7f2ceec6c000 ---p 00002000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6c000-7f2ceec6d000 r--p 00002000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6d000-7f2ceec6e000 rw-p 00003000 fd:00 67583246 /usr/lib64/libXau.so.6.0.0
7f2ceec6e000-7f2ceec95000 r-xp 00000000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
7f2ceec95000-7f2ceee94000 ---p 00027000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
7f2ceee94000-7f2ceee95000 r--p 00026000 fd:00 67583303 /usr/lib64/libxcb.so.1.1.0
2
E-Mail / Excessive resource usage: memcached (1044 (Parent PID:1044))
« on: July 04, 2022, 01:44:09 PM »
Hello, I need help, I have received several emails with the log below, can you help me to solve it?
ime: Mon Jul 4 08:04:46 2022 -0300
Account: memcached
Resource: Process Time
Exceeded: 227188 > 1800 (seconds)
Executable: /usr/bin/memcached
Command Line: /usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024
PID: 1044 (Parent PID:1044)
Killed: No
ime: Mon Jul 4 08:04:46 2022 -0300
Account: memcached
Resource: Process Time
Exceeded: 227188 > 1800 (seconds)
Executable: /usr/bin/memcached
Command Line: /usr/bin/memcached -u memcached -p 11211 -m 64 -c 1024
PID: 1044 (Parent PID:1044)
Killed: No
Pages: [1]