Ir para conteúdo
  • Cadastre-se

Alertas de processo suspeito

Andre Soares

Por Andre Soares
em VPS & Cloud

 Compartilhar

Posts Recomendados

Andre Soares

Andre Soares

Postado
Postado

Bom dia pessoal, hoje comecei a receber um alerta de processo suspeito, o que seria?

 

Assunto: lfd on server.allcomp.inf.br: Suspicious process running under user
nobody
Time:    Fri May 27 08:00:40 2016 -0300
PID:     26550 (Parent PID:26545)
Account: nobody
Uptime:  1780781 seconds

Executable:
/usr/sbin/nginx
Command Line (often faked in exploits):
nginx: worker process        


Network connections by the process (if any):
tcp: 23.89.201.169:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/var/log/nginx/error.log
/root/args.txt
/usr/local/apache/domlogs/redeinclusao.org.br-bytes_log
/usr/local/apache/domlogs/redeinclusao.org.br
/var/log/nginx/error.log
/var/log/nginx/vhost-error_log
 (deleted)/usr/local/apache/domlogs/allcomp.inf.br-bytes_log.bkup
/usr/local/apache/domlogs/allcomp.inf.br
/var/log/nginx/microcache.log
/usr/local/apache/domlogs/cicloviabicicletas.com.br-bytes_log
/usr/local/apache/domlogs/cicloviabicicletas.com.br
/usr/local/apache/domlogs/clicprojetos.com.br-bytes_log
/usr/local/apache/domlogs/clicprojetos.com.br
[eventpoll]
[eventfd]
[eventfd]


Memory maps by the process (if any):

00400000-004e4000 r-xp 00000000 08:11 406604154
/usr/sbin/nginx
006e4000-006fd000 rw-p 000e4000 08:11 406604154
/usr/sbin/nginx
006fd000-0071c000 rw-p 00000000 00:00 0 
015d5000-016de000 rw-p 00000000 00:00 0 
016de000-01778000 rw-p 00000000 00:00 0 
7f913d863000-7f913dc8a000 rw-p 00000000 00:00 0 
7f913dc8a000-7f913eb8a000 rw-s 00000000 f2:49 292606130
(deleted)/dev/zero
7f913eb8a000-7f913eba7000 r-xp 00000000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eba7000-7f913eda6000 ---p 0001d000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda6000-7f913eda7000 r--p 0001c000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda7000-7f913eda8000 rw-p 0001d000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda8000-7f913eda9000 rw-p 00000000 00:00 0 
7f913eda9000-7f913edbf000 r-xp 00000000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913edbf000-7f913efbf000 ---p 00016000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efbf000-7f913efc0000 r--p 00016000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efc0000-7f913efc1000 rw-p 00017000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efc1000-7f913efc3000 rw-p 00000000 00:00 0 
7f913efc3000-7f913efc5000 r-xp 00000000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913efc5000-7f913f1c4000 ---p 00002000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c4000-7f913f1c5000 r--p 00001000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c5000-7f913f1c6000 rw-p 00002000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c6000-7f913f1d0000 r-xp 00000000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f1d0000-7f913f3cf000 ---p 0000a000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3cf000-7f913f3d0000 r--p 00009000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3d0000-7f913f3d1000 rw-p 0000a000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3d1000-7f913f3fa000 r-xp 00000000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f3fa000-7f913f5fa000 ---p 00029000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fa000-7f913f5fb000 r--p 00029000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fb000-7f913f5fc000 rw-p 0002a000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fc000-7f913f5fd000 rw-p 00000000 00:00 0 
7f913f5fd000-7f913f600000 r-xp 00000000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f600000-7f913f7ff000 ---p 00003000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f7ff000-7f913f800000 r--p 00002000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f800000-7f913f801000 rw-p 00003000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f801000-7f913f8dc000 r-xp 00000000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913f8dc000-7f913fadc000 ---p 000db000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fadc000-7f913fae6000 r--p 000db000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fae6000-7f913fae8000 rw-p 000e5000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fae8000-7f913fb29000 r-xp 00000000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fb29000-7f913fd29000 ---p 00041000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd29000-7f913fd2a000 r--p 00041000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd2a000-7f913fd2c000 rw-p 00042000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd2c000-7f913fd2e000 r-xp 00000000 08:11 407504550
/lib64/libfreebl3.so
7f913fd2e000-7f913ff2d000 ---p 00002000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2d000-7f913ff2e000 r--p 00001000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2e000-7f913ff2f000 rw-p 00002000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2f000-7f91400b9000 r-xp 00000000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91400b9000-7f91402b9000 ---p 0018a000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402b9000-7f91402bd000 r--p 0018a000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402bd000-7f91402be000 rw-p 0018e000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402be000-7f91402c3000 rw-p 00000000 00:00 0 
7f91402c3000-7f91402d8000 r-xp 00000000 08:11 407504538
/lib64/libz.so.1.2.3
7f91402d8000-7f91404d7000 ---p 00015000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d7000-7f91404d8000 r--p 00014000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d8000-7f91404d9000 rw-p 00015000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d9000-7f9140693000 r-xp 00000000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f9140693000-7f9140892000 ---p 001ba000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f9140892000-7f91408ad000 r--p 001b9000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f91408ad000-7f91408b9000 rw-p 001d4000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f91408b9000-7f91408bd000 rw-p 00000000 00:00 0 
7f91408bd000-7f914091f000 r-xp 00000000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f914091f000-7f9140b1e000 ---p 00062000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b1e000-7f9140b22000 r--p 00061000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b22000-7f9140b29000 rw-p 00065000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b29000-7f9140b55000 r-xp 00000000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140b55000-7f9140d55000 ---p 0002c000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140d55000-7f9140d56000 rw-p 0002c000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140d56000-7f9140d5d000 r-xp 00000000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140d5d000-7f9140f5d000 ---p 00007000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5d000-7f9140f5e000 r--p 00007000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5e000-7f9140f5f000 rw-p 00008000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5f000-7f9140f8d000 rw-p 00000000 00:00 0 
7f9140f8d000-7f9140fa4000 r-xp 00000000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f9140fa4000-7f91411a4000 ---p 00017000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a4000-7f91411a5000 r--p 00017000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a5000-7f91411a6000 rw-p 00018000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a6000-7f91411aa000 rw-p 00000000 00:00 0 
7f91411aa000-7f91411ac000 r-xp 00000000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91411ac000-7f91413ac000 ---p 00002000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ac000-7f91413ad000 r--p 00002000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ad000-7f91413ae000 rw-p 00003000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ae000-7f91413ce000 r-xp 00000000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f9141550000-7f9141585000 r--s 00000000 08:11 407523662
/var/db/nscd/group
7f9141585000-7f91415ba000 r--s 00000000 08:11 407523661
/var/db/nscd/passwd
7f91415ba000-7f91415c3000 rw-p 00000000 00:00 0 
7f91415ca000-7f91415cb000 rw-p 00000000 00:00 0 
7f91415cb000-7f91415cc000 rw-s 00000000 f2:49 292606133
(deleted)/dev/zero
7f91415cc000-7f91415cd000 rw-p 00000000 00:00 0 
7f91415cd000-7f91415ce000 r--p 0001f000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f91415ce000-7f91415cf000 rw-p 00020000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f91415cf000-7f91415d0000 rw-p 00000000 00:00 0 
7ffc4a9c7000-7ffc4a9dc000 rw-p 00000000 00:00 0
[stack]
7ffc4a9e3000-7ffc4a9e5000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]

0
Link para o comentário
Compartilhar em outros sites

Participe da conversa

Você pode postar agora e se cadastrar mais tarde. Se você tem uma conta, faça o login para postar com sua conta.

Visitante
Infelizmente, seu conteúdo contém termos que não são permitimos. Edite seu conteúdo para remover as palavras destacadas abaixo.
Responder

×   Você colou conteúdo com formatação.   Remover formatação

  Apenas 75 emojis são permitidos.

×   Seu link foi automaticamente incorporado.   Mostrar como link

×   Seu conteúdo anterior foi restaurado.   Limpar o editor

×   Não é possível colar imagens diretamente. Carregar ou inserir imagens do URL.

×
 Compartilhar
Ir para a lista de tópicos

  • Quem Está Navegando   0 membros estão online

    • Nenhum usuário registrado visualizando esta página.
×
×
  • Criar Novo...

Informação Importante

Concorda com os nossos termos?

  I accept