Sunucudan gelen Suspicious process running under hatas覺 癟繹z羹m

Sunucudan gelen Suspicious process running under hatas覺 癟繹z羹m

Eer sunucunuza CSF (ConfigServer Security & Firewall) kurduysan覺z tan覺mlanmayan uygulamalar exploit olarak alg覺lanabilir.

Aktif olan baz覺 uygulamalar yada sonradan aktif ettikleriniz i癟in csf'nin izni olmas覺 gerekiyor. Bu ilem 癟ok basit. Bu yaz覺da webalizer'i exploit zanneden csf'ye ayar vereceiz, size gelen maile g繹re davranman覺z gerekiyor.

 

SSh 羹zerinden root olarak giri yap覺n;

nano /etc/csf/csf.pignore

komutuyla pignore dosyas覺n覺 d羹zenleme moduna girin. Alttaki sat覺r覺 ekleyin;

exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/turkish

Sonras覺nda csf'yi restart yap覺n;

csf -r

Bu kadar...

 

Bu hatan覺n sonucunda gelen mail genelde 繹yle olur;

lfd on server.xxxx.com: Suspicious process running under user xkullanici

 

Time:    Fri Feb  3 12:13:05 2017 +0300
PID:     29084 (Parent PID:29083)
Account: xkullanici
Uptime:  71 seconds

 


Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/turkish


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/turkish -N 10 -D /home/xkullanici/tmp/webalizer/dns_cache.db -R 250 -p -n xxxxx.com -o /home/xkullanici/tmp/webalizer /etc/apache2/logs/domlogs/xxxx.com.bkup


Network connections by the process (if any):

udp: 163.172.213.46:43696 -> 8.8.8.8:53


Files open by the process (if any):

/dev/null
/var/log/apache2/domlogs/xxx.com.bkup
/home/xkullanici/tmp/webalizer/dns_cache.db
/var/cpanel/locale/en.cdb
/var/cpanel/locale/tr.cdb
/var/tmp/29081.LOGD___WAITING_FOR_CHILD_TO_PROCESS_LOGS__.dub_Keyy.tmp


Memory maps by the process (if any):

00400000-00423000 r-xp 00000000 08:02 3022520                            /usr/local/cpanel/3rdparty/bin/webalizer_lang/turkish
01ab4000-01b9b000 rw-p 00000000 00:00 0                                  [heap]
7f1add29d000-7f1add29e000 rw-p 0000f000 08:02 1704966                    /usr/lib64/libbz2.so.1.0.6
7f1add29e000-7f1add2c3000 r-xp 00000000 08:02 1704838                    /usr/lib64/liblzma.so.5.2.2
7f1add6db000-7f1add6dc000 rw-p 00017000 08:02 1704915                    /usr/lib64/libelf-0.166.so
7f1add6dc000-7f1add6e0000 r-xp 00000000 08:02 1705191                    /usr/lib64/libattr.so.1.1.0
7f1addaf6000-7f1addaf7000 rw-p 00015000 08:02 1713187                    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f1addaf7000-7f1addb3c000 r-xp 00000000 08:02 1705202                    /usr/lib64/libdw-0.166.so
7f1addf46000-7f1addf47000 rw-p 00007000 08:02 1704707                    /usr/lib64/librt-2.17.so
7f1addf47000-7f1addf4b000 r-xp 00000000 08:02 1705193                    /usr/lib64/libcap.so.2.22
7f1ade56b000-7f1ade56c000 rw-p 00005000 08:02 1704693                    /usr/lib64/libnss_dns-2.17.so
7f1ade56c000-7f1ade578000 r-xp 00000000 08:02 1704695                    /usr/lib64/libnss_files-2.17.so
7f1ade982000-7f1ade983000 rw-p 00003000 08:02 1707427                    /usr/lib64/libXau.so.6.0.0
7f1ade983000-7f1ade9aa000 r-xp 00000000 08:02 1705304                    /usr/lib64/libexpat.so.1.6.0
7f1adedb0000-7f1adedb1000 rw-p 00003000 08:02 1704683                    /usr/lib64/libdl-2.17.so
7f1adedb1000-7f1adedd2000 r-xp 00000000 08:02 1707479                    /usr/lib64/libxcb.so.1.1.0
7f1adefd3000-7f1adf073000 r-xp 00000000 08:02 1706346                    /usr/lib64/libfreetype.so.6.10.0
7f1adf279000-7f1adf2b3000 r-xp 00000000 08:02 1717601                    /usr/lib64/libfontconfig.so.1.7.0
7f1adf4b6000-7f1adf4f9000 r-xp 00000000 08:02 1705998                    /usr/lib64/libjpeg.so.62.1.0
7f1adf70b000-7f1adf843000 r-xp 00000000 08:02 1708723                    /usr/lib64/libX11.so.6.3.0
7f1adfa49000-7f1adfa5a000 r-xp 00000000 08:02 1714273                    /usr/lib64/libXpm.so.4.11.0
7f1adfc5b000-7f1adfc72000 r-xp 00000000 08:02 1704703                    /usr/lib64/libpthread-2.17.so
7f1adfe77000-7f1ae002d000 r-xp 00000000 08:02 1704677                    /usr/lib64/libc-2.17.so
7f1ae074f000-7f1ae0750000 rw-p 00015000 08:02 1704853                    /usr/lib64/libz.so.1.2.7
7f1ae0750000-7f1ae0779000 r-xp 00000000 08:02 1706336                    /usr/lib64/libpng15.so.15.13.0
7f1ae097b000-7f1ae099e000 r-xp 00000000 08:02 1717611                    /usr/lib64/libgd.so.2.0.0
7f1ae0f7d000-7f1ae0f80000 rw-p 001bb000 08:02 1704975                    /usr/lib64/libdb-5.3.so
7f1ae0f80000-7f1ae0fa0000 r-xp 00000000 08:02 1704670                    /usr/lib64/ld-2.17.so
7f1ae1122000-7f1ae112f000 r-xp 00000000 08:02 1706735                    /usr/lib64/libnss_myhostname.so.2
7f1ae113e000-7f1ae118a000 r--s 00000000 08:02 265599                     /var/db/nscd/hosts
7f1ae119f000-7f1ae11a0000 r--p 0001f000 08:02 1704670                    /usr/lib64/ld-2.17.so
7fff1dd9e000-7fff1ddbf000 rw-p 00000000 00:00 0                          [stack]
7fff1ddd2000-7fff1ddd4000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

 



襤lk yorumu siz yaz覺n !..

  • Yorumunuz en az 30 karakter olmal覺d覺r. (0)