Jump to content

Alertas de processo suspeito

Andre Soares

By Andre Soares
in VPS & Cloud

 Share

Recommended Posts

Andre Soares

Andre Soares

Posted
Posted

Bom dia pessoal, hoje comecei a receber um alerta de processo suspeito, o que seria?

 

Assunto: lfd on server.allcomp.inf.br: Suspicious process running under user
nobody
Time:    Fri May 27 08:00:40 2016 -0300
PID:     26550 (Parent PID:26545)
Account: nobody
Uptime:  1780781 seconds

Executable:
/usr/sbin/nginx
Command Line (often faked in exploits):
nginx: worker process        


Network connections by the process (if any):
tcp: 23.89.201.169:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/var/log/nginx/error.log
/root/args.txt
/usr/local/apache/domlogs/redeinclusao.org.br-bytes_log
/usr/local/apache/domlogs/redeinclusao.org.br
/var/log/nginx/error.log
/var/log/nginx/vhost-error_log
 (deleted)/usr/local/apache/domlogs/allcomp.inf.br-bytes_log.bkup
/usr/local/apache/domlogs/allcomp.inf.br
/var/log/nginx/microcache.log
/usr/local/apache/domlogs/cicloviabicicletas.com.br-bytes_log
/usr/local/apache/domlogs/cicloviabicicletas.com.br
/usr/local/apache/domlogs/clicprojetos.com.br-bytes_log
/usr/local/apache/domlogs/clicprojetos.com.br
[eventpoll]
[eventfd]
[eventfd]


Memory maps by the process (if any):

00400000-004e4000 r-xp 00000000 08:11 406604154
/usr/sbin/nginx
006e4000-006fd000 rw-p 000e4000 08:11 406604154
/usr/sbin/nginx
006fd000-0071c000 rw-p 00000000 00:00 0 
015d5000-016de000 rw-p 00000000 00:00 0 
016de000-01778000 rw-p 00000000 00:00 0 
7f913d863000-7f913dc8a000 rw-p 00000000 00:00 0 
7f913dc8a000-7f913eb8a000 rw-s 00000000 f2:49 292606130
(deleted)/dev/zero
7f913eb8a000-7f913eba7000 r-xp 00000000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eba7000-7f913eda6000 ---p 0001d000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda6000-7f913eda7000 r--p 0001c000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda7000-7f913eda8000 rw-p 0001d000 08:11 407503045
(deleted)/lib64/libselinux.so.1
7f913eda8000-7f913eda9000 rw-p 00000000 00:00 0 
7f913eda9000-7f913edbf000 r-xp 00000000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913edbf000-7f913efbf000 ---p 00016000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efbf000-7f913efc0000 r--p 00016000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efc0000-7f913efc1000 rw-p 00017000 08:11 407504588
(deleted)/lib64/libresolv-2.12.so
7f913efc1000-7f913efc3000 rw-p 00000000 00:00 0 
7f913efc3000-7f913efc5000 r-xp 00000000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913efc5000-7f913f1c4000 ---p 00002000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c4000-7f913f1c5000 r--p 00001000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c5000-7f913f1c6000 rw-p 00002000 08:11 407504719
/lib64/libkeyutils.so.1.3
7f913f1c6000-7f913f1d0000 r-xp 00000000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f1d0000-7f913f3cf000 ---p 0000a000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3cf000-7f913f3d0000 r--p 00009000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3d0000-7f913f3d1000 rw-p 0000a000 08:11 407512143
(deleted)/lib64/libkrb5support.so.0.1
7f913f3d1000-7f913f3fa000 r-xp 00000000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f3fa000-7f913f5fa000 ---p 00029000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fa000-7f913f5fb000 r--p 00029000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fb000-7f913f5fc000 rw-p 0002a000 08:11 407504695
(deleted)/lib64/libk5crypto.so.3.1
7f913f5fc000-7f913f5fd000 rw-p 00000000 00:00 0 
7f913f5fd000-7f913f600000 r-xp 00000000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f600000-7f913f7ff000 ---p 00003000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f7ff000-7f913f800000 r--p 00002000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f800000-7f913f801000 rw-p 00003000 08:11 407504558
/lib64/libcom_err.so.2.1
7f913f801000-7f913f8dc000 r-xp 00000000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913f8dc000-7f913fadc000 ---p 000db000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fadc000-7f913fae6000 r--p 000db000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fae6000-7f913fae8000 rw-p 000e5000 08:11 407512142
(deleted)/lib64/libkrb5.so.3.3
7f913fae8000-7f913fb29000 r-xp 00000000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fb29000-7f913fd29000 ---p 00041000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd29000-7f913fd2a000 r--p 00041000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd2a000-7f913fd2c000 rw-p 00042000 08:11 407505471
(deleted)/lib64/libgssapi_krb5.so.2.2
7f913fd2c000-7f913fd2e000 r-xp 00000000 08:11 407504550
/lib64/libfreebl3.so
7f913fd2e000-7f913ff2d000 ---p 00002000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2d000-7f913ff2e000 r--p 00001000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2e000-7f913ff2f000 rw-p 00002000 08:11 407504550
/lib64/libfreebl3.so
7f913ff2f000-7f91400b9000 r-xp 00000000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91400b9000-7f91402b9000 ---p 0018a000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402b9000-7f91402bd000 r--p 0018a000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402bd000-7f91402be000 rw-p 0018e000 08:11 407504581
(deleted)/lib64/libc-2.12.so
7f91402be000-7f91402c3000 rw-p 00000000 00:00 0 
7f91402c3000-7f91402d8000 r-xp 00000000 08:11 407504538
/lib64/libz.so.1.2.3
7f91402d8000-7f91404d7000 ---p 00015000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d7000-7f91404d8000 r--p 00014000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d8000-7f91404d9000 rw-p 00015000 08:11 407504538
/lib64/libz.so.1.2.3
7f91404d9000-7f9140693000 r-xp 00000000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f9140693000-7f9140892000 ---p 001ba000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f9140892000-7f91408ad000 r--p 001b9000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f91408ad000-7f91408b9000 rw-p 001d4000 08:11 406598228
(deleted)/usr/lib64/libcrypto.so.1.0.1e
7f91408b9000-7f91408bd000 rw-p 00000000 00:00 0 
7f91408bd000-7f914091f000 r-xp 00000000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f914091f000-7f9140b1e000 ---p 00062000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b1e000-7f9140b22000 r--p 00061000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b22000-7f9140b29000 rw-p 00065000 08:11 406598270
(deleted)/usr/lib64/libssl.so.1.0.1e
7f9140b29000-7f9140b55000 r-xp 00000000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140b55000-7f9140d55000 ---p 0002c000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140d55000-7f9140d56000 rw-p 0002c000 08:11 407504828
/lib64/libpcre.so.0.0.1
7f9140d56000-7f9140d5d000 r-xp 00000000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140d5d000-7f9140f5d000 ---p 00007000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5d000-7f9140f5e000 r--p 00007000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5e000-7f9140f5f000 rw-p 00008000 08:11 407504687
(deleted)/lib64/libcrypt-2.12.so
7f9140f5f000-7f9140f8d000 rw-p 00000000 00:00 0 
7f9140f8d000-7f9140fa4000 r-xp 00000000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f9140fa4000-7f91411a4000 ---p 00017000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a4000-7f91411a5000 r--p 00017000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a5000-7f91411a6000 rw-p 00018000 08:11 407504571
(deleted)/lib64/libpthread-2.12.so
7f91411a6000-7f91411aa000 rw-p 00000000 00:00 0 
7f91411aa000-7f91411ac000 r-xp 00000000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91411ac000-7f91413ac000 ---p 00002000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ac000-7f91413ad000 r--p 00002000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ad000-7f91413ae000 rw-p 00003000 08:11 407504518
(deleted)/lib64/libdl-2.12.so
7f91413ae000-7f91413ce000 r-xp 00000000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f9141550000-7f9141585000 r--s 00000000 08:11 407523662
/var/db/nscd/group
7f9141585000-7f91415ba000 r--s 00000000 08:11 407523661
/var/db/nscd/passwd
7f91415ba000-7f91415c3000 rw-p 00000000 00:00 0 
7f91415ca000-7f91415cb000 rw-p 00000000 00:00 0 
7f91415cb000-7f91415cc000 rw-s 00000000 f2:49 292606133
(deleted)/dev/zero
7f91415cc000-7f91415cd000 rw-p 00000000 00:00 0 
7f91415cd000-7f91415ce000 r--p 0001f000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f91415ce000-7f91415cf000 rw-p 00020000 08:11 407505335
(deleted)/lib64/ld-2.12.so
7f91415cf000-7f91415d0000 rw-p 00000000 00:00 0 
7ffc4a9c7000-7ffc4a9dc000 rw-p 00000000 00:00 0
[stack]
7ffc4a9e3000-7ffc4a9e5000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]

0

Guest

Guest

Posted
Posted

Falso positivo.

Adicione o processo do nginx no /etc/csf/csf.ignore

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...

Important Information

Do you agree with our terms?

  I accept