Author Topic: Suspicious process running under user xxx  (Read 264 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Suspicious process running under user xxx
« on: July 04, 2022, 01:48:12 PM »
Hello, I need help, I have received several emails with the log below, can you help me to solve it?
Time:    Mon Jul  4 00:12:09 2022 -0300
PID:     624 (Parent PID:2795)
Account: xxxx
Uptime:  71 seconds
Executable:
/usr/local/bin/php-cgi
Command Line (often faked in exploits):
/usr/local/bin/php-cgi /home/rdcaxias/public_html/portal/www/site/index.php
Network connections by the process (if any):
tcp: 127.0.0.1:51814 -> 127.0.0.1:11211
Files open by the process (if any):
/tmp/sess_l4fs8ot8ai0qrt6h9evuoc28p7
/home/rdcaxias/public_html/portal
Memory maps by the process (if any):
00400000-00e79000 r-xp 00000000 fd:00 482476                             /usr/local/bin/php-cgi
01078000-01079000 r--p 00a78000 fd:00 482476                             /usr/local/bin/php-cgi
01079000-0108b000 rw-p 00a79000 fd:00 482476                             /usr/local/bin/php-cgi
0108b000-010b0000 rw-p 00000000 00:00 0
02c8f000-0360b000 rw-p 00000000 00:00 0                                  [heap]
7f2cedce4000-7f2cedd25000 rw-p 00000000 00:00 0
7f2cedd66000-7f2cee176000 rw-p 00000000 00:00 0
7f2cee176000-7f2cee17c000 r-xp 00000000 fd:00 67116571                   /usr/lib64/libnss_dns-2.17.so
7f2cee17c000-7f2cee37b000 ---p 00006000 fd:00 67116571                   /usr/lib64/libnss_dns-2.17.so
7f2cee37b000-7f2cee37c000 r--p 00005000 fd:00 67116571                   /usr/lib64/libnss_dns-2.17.so
7f2cee37c000-7f2cee37d000 rw-p 00006000 fd:00 67116571                   /usr/lib64/libnss_dns-2.17.so
7f2cee37d000-7f2cee648000 rw-p 00000000 00:00 0
7f2cee648000-7f2cee654000 r-xp 00000000 fd:00 67116573                   /usr/lib64/libnss_files-2.17.so
7f2cee654000-7f2cee853000 ---p 0000c000 fd:00 67116573                   /usr/lib64/libnss_files-2.17.so
7f2cee853000-7f2cee854000 r--p 0000b000 fd:00 67116573                   /usr/lib64/libnss_files-2.17.so
7f2cee854000-7f2cee855000 rw-p 0000c000 fd:00 67116573                   /usr/lib64/libnss_files-2.17.so
7f2cee855000-7f2cee85b000 rw-p 00000000 00:00 0
7f2cee85b000-7f2cee869000 r-xp 00000000 fd:00 203894528                  /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2cee869000-7f2ceea68000 ---p 0000e000 fd:00 203894528                  /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea68000-7f2ceea69000 r--p 0000d000 fd:00 203894528                  /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea69000-7f2ceea6a000 rw-p 0000e000 fd:00 203894528                  /usr/local/lib/php/extensions/no-debug-non-zts-20100525/memcache.so
7f2ceea6a000-7f2ceea6c000 r-xp 00000000 fd:00 67583246                   /usr/lib64/libXau.so.6.0.0
7f2ceea6c000-7f2ceec6c000 ---p 00002000 fd:00 67583246                   /usr/lib64/libXau.so.6.0.0
7f2ceec6c000-7f2ceec6d000 r--p 00002000 fd:00 67583246                   /usr/lib64/libXau.so.6.0.0
7f2ceec6d000-7f2ceec6e000 rw-p 00003000 fd:00 67583246                   /usr/lib64/libXau.so.6.0.0
7f2ceec6e000-7f2ceec95000 r-xp 00000000 fd:00 67583303                   /usr/lib64/libxcb.so.1.1.0
7f2ceec95000-7f2ceee94000 ---p 00027000 fd:00 67583303                   /usr/lib64/libxcb.so.1.1.0
7f2ceee94000-7f2ceee95000 r--p 00026000 fd:00 67583303                   /usr/lib64/libxcb.so.1.1.0