These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Attack or default Virtualmin processes on the new forum.
Hey,
I've set up a new server that will replace my old one. The new server runs the latest version of Virtualmin on top of Debian 7.8. I run CFS & LFD as firewall. I have already set-up 3 virtual servers as a test. They work fine.
Every hour (or more) I receive a lot of e-mails from CFS & LFD with warnings similar to:
Time: Tue Mar 17 15:30:29 2015 +0100 PID: 18819 (Parent PID:4069) Account: www-data Uptime: 3658 seconds Executable: /usr/lib/apache2/mpm-prefork/apache2 Command Line (often faked in exploits): /usr/sbin/apache2 -k start Network connections by the process (if any): tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:80 -> 0.0.0.0:0 tcp: xx.xx.xx.xx:443 -> 0.0.0.0:0 Files open by the process (if any): /dev/null /dev/null /var/log/apache2/error.log /var/log/virtualmin/client1.be_error_log /var/log/virtualmin/client2.be_error_log /var/log/virtualmin/client3.net_error_log /var/log/virtualmin/client4.be_error_log /var/log/apache2/other_vhosts_access.log /var/log/virtualmin/client1.be_access_log /var/log/virtualmin/client2.be_access_log /var/log/virtualmin/client2.be_access_log /run/apache2/ssl_mutex (deleted) /var/log/virtualmin/client3.net_access_log /var/log/virtualmin/client3.net_access_log /var/log/virtualmin/client4.be_access_log /var/log/apache2/access.log /dev/urandom anon_inode:[eventpoll] Memory maps by the process (if any): 7f0d3aa9c000-7f0d3aaa3000 r-xp 00000000 fd:00 10359814 /usr/lib/php5/20100525/pdo_mysql.so 7f0d3aaa3000-7f0d3aca3000 ---p 00007000 fd:00 10359814 /usr/lib/php5/20100525/pdo_mysql.so 7f0d3aca3000-7f0d3aca4000 r--p 00007000 fd:00 10359814 /usr/lib/php5/20100525/pdo_mysql.so 7f0d3aca4000-7f0d3aca5000 rw-p 00008000 fd:00 10359814 /usr/lib/php5/20100525/pdo_mysql.so 7f0d3aca5000-7f0d3aca6000 ---p 00000000 00:00 0 7f0d3aca6000-7f0d3b4a6000 rw-p 00000000 00:00 0 7f0d3b5aa000-7f0d3b5c8000 r-xp 00000000 fd:00 10359813 /usr/lib/php5/20100525/mysqli.so 7f0d3b5c8000-7f0d3b7c7000 ---p 0001e000 fd:00 10359813 /usr/lib/php5/20100525/mysqli.so 7f0d3b7c7000-7f0d3b7cc000 r--p 0001d000 fd:00 10359813 /usr/lib/php5/20100525/mysqli.so 7f0d3b7cc000-7f0d3b7cd000 rw-p 00022000 fd:00 10359813 /usr/lib/php5/20100525/mysqli.so 7f0d3b7cd000-7f0d3ba8d000 r-xp 00000000 fd:00 9970163 /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0 7f0d3ba8d000-7f0d3bc8d000 ---p 002c0000 fd:00 9970163 /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0 7f0d3bc8d000-7f0d3bc93000 r--p 002c0000 fd:00 9970163 /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0 7f0d3bc93000-7f0d3bd11000 rw-p 002c6000 fd:00 9970163 /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0 7f0d3bd11000-7f0d3bd16000 rw-p 00000000 00:00 0 7f0d3bd16000-7f0d3bd21000 r-xp 00000000 fd:00 10359812 /usr/lib/php5/20100525/mysql.so 7f0d3bd21000-7f0d3bf21000 ---p 0000b000 fd:00 10359812 /usr/lib/php5/20100525/mysql.so 7f0d3bf21000-7f0d3bf23000 r--p 0000b000 fd:00 10359812 /usr/lib/php5/20100525/mysql.so 7f0d3bf23000-7f0d3bf24000 rw-p 0000d000 fd:00 10359812 /usr/lib/php5/20100525/mysql.so 7f0d3bf24000-7f0d3bf3d000 r-xp 00000000 fd:00 10359789 /usr/lib/php5/20100525/pdo.so 7f0d3bf3d000-7f0d3c13c000 ---p 00019000 fd:00 10359789 /usr/lib/php5/20100525/pdo.so 7f0d3c13c000-7f0d3c13f000 r--p 00018000 fd:00 10359789 /usr/lib/php5/20100525/pdo.so 7f0d3c13f000-7f0d3c140000 rw-p 0001b000 fd:00 10359789 /usr/lib/php5/20100525/pdo.so 7f0d3c140000-7f0d3c142000 r-xp 00000000 fd:00 10355369 /usr/lib/apache2/modules/mod_suexec.so 7f0d3c142000-7f0d3c341000 ---p 00002000 fd:00 10355369 /usr/lib/apache2/modules/mod_suexec.so 7f0d3c341000-7f0d3c342000 r--p 00001000 fd:00 10355369 /usr/lib/apache2/modules/mod_suexec.so 7f0d3c342000-7f0d3c343000 rw-p 00002000 fd:00 10355369 /usr/lib/apache2/modules/mod_suexec.so 7f0d3c343000-7f0d3c347000 r-xp 00000000 fd:00 10355408 /usr/lib/apache2/modules/mod_status.so 7f0d3c347000-7f0d3c547000 ---p 00004000 fd:00 10355408 /usr/lib/apache2/modules/mod_status.so 7f0d3c547000-7f0d3c548000 r--p 00004000 fd:00 10355408 /usr/lib/apache2/modules/mod_status.so 7f0d3c548000-7f0d3c549000 rw-p 00005000 fd:00 10355408 /usr/lib/apache2/modules/mod_status.so 7f0d3c549000-7f0d3c5ec000 rw-p 00000000 00:00 0 7f0d3c5ec000-7f0d3c5f7000 r-xp 00000000 fd:00 5508179 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f0d3c5f7000-7f0d3c7f6000 ---p 0000b000 fd:00 5508179 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f0d3c7f6000-7f0d3c7f7000 r--p 0000a000 fd:00 5508179 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f0d3c7f7000-7f0d3c7f8000 rw-p 0000b000 fd:00 5508179 /lib/x86_64-linux-gnu/libnss_files-2.13.so 7f0d3c7f8000-7f0d3c802000 r-xp 00000000 fd:00 5508189 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f0d3c802000-7f0d3ca01000 ---p 0000a000 fd:00 5508189 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f0d3ca01000-7f0d3ca02000 r--p 00009000 fd:00 5508189 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f0d3ca02000-7f0d3ca03000 rw-p 0000a000 fd:00 5508189 /lib/x86_64-linux-gnu/libnss_nis-2.13.so 7f0d3ca03000-7f0d3ca0a000 r-xp 00000000 fd:00 5508193 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f0d3ca0a000-7f0d3cc09000 ---p 00007000 fd:00 5508193 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f0d3cc09000-7f0d3cc0a000 r--p 00006000 fd:00 5508193 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f0d3cc0a000-7f0d3cc0b000 rw-p 00007000 fd:00 5508193 /lib/x86_64-linux-gnu/libnss_compat-2.13.so 7f0d3cc0c000-7f0d3cc12000 rw-p 00000000 00:00 0 7f0d3cc29000-7f0d3cc3f000 rw-s 00000000 00:04 9552 /dev/zero (deleted) 7f0d3cdf2000-7f0d3ce1c000 r-xp 00000000 fd:00 10355402 /usr/lib/apache2/modules/mod_ssl.so 7f0d3ce1c000-7f0d3d01c000 ---p 0002a000 fd:00 10355402 /usr/lib/apache2/modules/mod_ssl.so 7f0d3d01c000-7f0d3d01d000 r--p 0002a000 fd:00 10355402 /usr/lib/apache2/modules/mod_ssl.so 7f0d3d01d000-7f0d3d01e000 rw-p 0002b000 fd:00 10355402 /usr/lib/apache2/modules/mod_ssl.so 7f0d3d01e000-7f0d3d021000 rw-p 00000000 00:00 0 7f0d3d021000-7f0d3d024000 r-xp 00000000 fd:00 10355377 /usr/lib/apache2/modules/mod_setenvif.so 7f0d3d024000-7f0d3d223000 ---p 00003000 fd:00 10355377 /usr/lib/apache2/modules/mod_setenvif.so 7f0d3d223000-7f0d3d224000 r--p 00002000 fd:00 10355377 /usr/lib/apache2/modules/mod_setenvif.so 7f0d3d224000-7f0d3d225000 rw-p 00003000 fd:00 10355377 /usr/lib/apache2/modules/mod_setenvif.so 7f0d3d225000-7f0d3d30a000 r-xp 00000000 fd:00 9970199 /usr/lib/libruby1.8.so.1.8.7 7f0d3d30a000-7f0d3d509000 ---p 000e5000 fd:00 9970199 /usr/lib/libruby1.8.so.1.8.7 7f0d3d509000-7f0d3d50b000 r--p 000e4000 fd:00 9970199 /usr/lib/libruby1.8.so.1.8.7 7f0d3d50b000-7f0d3d50e000 rw-p 000e6000 fd:00 9970199 /usr/lib/libruby1.8.so.1.8.7 7f0d3d50e000-7f0d3d52c000 rw-p 00000000 00:00 0 7f0d3d52c000-7f0d3d54b000 r-xp 00000000 fd:00 10361925 /usr/lib/apache2/modules/mod_ruby.so 7f0d3d54b000-7f0d3d74b000 ---p 0001f000 fd:00 10361925 /usr/lib/apache2/modules/mod_ruby.so 7f0d3d74b000-7f0d3d74d000 rw-p 0001f000 fd:00 10361925 /usr/lib/apache2/modules/mod_ruby.so 7f0d3d74d000-7f0d3d75c000 r-xp 00000000 fd:00 10355400 /usr/lib/apache2/modules/mod_rewrite.so 7f0d3d75c000-7f0d3d95b000 ---p 0000f000 fd:00 10355400 /usr/lib/apache2/modules/mod_rewrite.so 7f0d3d95b000-7f0d3d95c000 r--p 0000e000 fd:00 10355400 /usr/lib/apache2/modules/mod_rewrite.so 7f0d3d95c000-7f0d3d95d000 rw-p 0000f000 fd:00 10355400 /usr/lib/apache2/modules/mod_rewrite.so 7f0d3d95d000-7f0d3d960000 r-xp 00000000 fd:00 10355364 /usr/lib/apache2/modules/mod_reqtimeout.so 7f0d3d960000-7f0d3db5f000 ---p 00003000 fd:00 10355364 /usr/lib/apache2/modules/mod_reqtimeout.so 7f0d3db5f000-7f0d3db60000 r--p 00002000 fd:00 10355364 /usr/lib/apache2/modules/mod_reqtimeout.so 7f0d3db60000-7f0d3db61000 rw-p 00003000 fd:00 10355364 /usr/lib/apache2/modules/mod_reqtimeout.so 7f0d3db61000-7f0d3db68000 r-xp 00000000 fd:00 10355406 /usr/lib/apache2/modules/mod_proxy_http.so 7f0d3db68000-7f0d3dd68000 ---p 00007000 fd:00 10355406 /usr/lib/apache2/modules/mod_proxy_http.so 7f0d3dd68000-7f0d3dd69000 r--p 00007000 fd:00 10355406 /usr/lib/apache2/modules/mod_proxy_http.so 7f0d3dd69000-7f0d3dd6a000 rw-p 00008000 fd:00 10355406 /usr/lib/apache2/modules/mod_proxy_http.so 7f0d3dd6a000-7f0d3dd6c000 r-xp 00000000 fd:00 10355371 /usr/lib/apache2/modules/mod_proxy_connect.so 7f0d3dd6c000-7f0d3df6b000 ---p 00002000 fd:00 10355371 /usr/lib/apache2/modules/mod_proxy_connect.so 7f0d3df6b000-7f0d3df6c000 r--p 00001000 fd:00 10355371 /usr/lib/apache2/modules/mod_proxy_connect.so 7f0d3df6c000-7f0d3df6d000 rw-p 00002000 fd:00 10355371 /usr/lib/apache2/modules/mod_proxy_connect.so 7f0d3df6d000-7f0d3df73000 r-xp 00000000 fd:00 10355405 /usr/lib/apache2/modules/mod_proxy_balancer.so 7f0d3df73000-7f0d3e172000 ---p 00006000 fd:00 10355405 /usr/lib/apache2/modules/mod_proxy_balancer.so 7f0d3e172000-7f0d3e173000 r--p 00005000 fd:00 10355405 /usr/lib/apache2/modules/mod_proxy_balancer.so 7f0d3e173000-7f0d3e174000 rw-p 00006000 fd:00 10355405 /usr/lib/apache2/modules/mod_proxy_balancer.so 7f0d3e174000-7f0d3e188000 r-xp 00000000 fd:00 10355365 /usr/lib/apache2/modules/mod_proxy.so 7f0d3e188000-7f0d3e387000 ---p 00014000 fd:00 10355365 /usr/lib/apache2/modules/mod_proxy.so 7f0d3e387000-7f0d3e388000 r--p 00013000 fd:00 10355365 /usr/lib/apache2/modules/mod_proxy.so 7f0d3e388000-7f0d3e389000 rw-p 00014000 fd:00 10355365 /usr/lib/apache2/modules/mod_proxy.so 7f0d3e389000-7f0d3e38c000 r-xp 00000000 fd:00 5508169 /lib/x86_64-linux-gnu/libkeyutils.so.1.4 7f0d3e38c000-7f0d3e58b000 ---p 00003000 fd:00 5508169 /lib/x86_64-linux-gnu/libkeyutils.so.1.4 7f0d3e58b000-7f0d3e58c000 r--p 00002000 fd:00 5508169 /lib/x86_64-linux-gnu/libkeyutils.so.1.4 7f0d3e58c000-7f0d3e58d000 rw-p 00003000 fd:00 5508169 /lib/x86_64-linux-gnu/libkeyutils.so.1.4 7f0d3e58d000-7f0d3e595000 r-xp 00000000 fd:00 9962180 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 7f0d3e595000-7f0d3e794000 ---p 00008000 fd:00 9962180 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 7f0d3e794000-7f0d3e795000 r--p 00007000 fd:00 9962180 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 7f0d3e795000-7f0d3e796000 rw-p 00008000 fd:00 9962180 /usr/lib/x86_64-linux-gnu/libkrb5support.so.0.1 7f0d3e796000-7f0d3e7b8000 r-xp 00000000 fd:00 5505064 /lib/x86_64-linux-gnu/liblzma.so.5.0.0 7f0d3e7b8000-7f0d3e9b7000 ---p 00022000 fd:00 5505064 /lib/x86_64-linux-gnu/liblzma.so.5.0.0 7f0d3e9b7000-7f0d3e9b8000 r--p 00021000 fd:00 5505064 /lib/x86_64-linux-gnu/liblzma.so.5.0.0 7f0d3e9b8000-7f0d3e9b9000 rw-p 00022000 fd:00 5505064 /lib/x86_64-linux-gnu/liblzma.so.5.0.0 7f0d3e9b9000-7f0d3e9df000 r-xp 00000000 fd:00 9962171 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 7f0d3e9df000-7f0d3ebdf000 ---p 00026000 fd:00 9962171 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 7f0d3ebdf000-7f0d3ebe0000 r--p 00026000 fd:00 9962171 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 7f0d3ebe0000-7f0d3ebe1000 rw-p 00027000 fd:00 9962171 /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 7f0d3ebe1000-7f0d3ebe2000 rw-p 00000000 00:00 0 ...
Another example:
Time: Tue Mar 17 15:01:28 2015 +0100 PID: 3347 (Parent PID:2916) Account: mysql Uptime: 1221238 seconds Executable: /usr/sbin/mysqld Command Line (often faked in exploits): /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 Network connections by the process (if any): tcp: 127.0.0.1:3306 -> 0.0.0.0:0 Files open by the process (if any): /dev/null /var/lib/mysql/ibdata1 /tmp/ibjvuUGG (deleted) /tmp/iboD5Six (deleted) /tmp/ibVh0RUn (deleted) /tmp/ibp3OiA5 (deleted) /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile1 /var/lib/mysql/client3@002enet_webmail/session.ibd /var/lib/mysql/client3@002enet_webmail/users.ibd /var/lib/mysql/client3@002enet_webmail/cache.ibd /var/lib/mysql/client3@002enet_webmail/cache_shared.ibd /var/lib/mysql/client3@002enet_webmail/cache_index.ibd /var/lib/mysql/client3@002enet_webmail/cache_thread.ibd /var/lib/mysql/client3@002enet_webmail/cache_messages.ibd /var/lib/mysql/client3@002enet_webmail/contacts.ibd /var/lib/mysql/client3@002enet_webmail/contactgroups.ibd /var/lib/mysql/client3@002enet_webmail/contactgroupmembers.ibd /var/lib/mysql/client3@002enet_webmail/identities.ibd /tmp/ibYAIWk2 (deleted) /var/lib/mysql/mysql/host.MYI /var/lib/mysql/mysql/host.MYD /var/lib/mysql/mysql/user.MYI /var/lib/mysql/mysql/user.MYD /var/lib/mysql/mysql/db.MYI /var/lib/mysql/mysql/db.MYD /var/lib/mysql/mysql/proxies_priv.MYI /var/lib/mysql/mysql/proxies_priv.MYD /var/lib/mysql/mysql/tables_priv.MYI /var/lib/mysql/mysql/tables_priv.MYD /var/lib/mysql/mysql/columns_priv.MYI /var/lib/mysql/mysql/columns_priv.MYD /var/lib/mysql/mysql/procs_priv.MYI /var/lib/mysql/mysql/procs_priv.MYD /var/lib/mysql/mysql/servers.MYI /var/lib/mysql/mysql/servers.MYD /var/lib/mysql/mysql/event.MYI /var/lib/mysql/mysql/event.MYD /var/lib/mysql/client4/cache.ibd /var/lib/mysql/client4/cache_index.ibd /var/lib/mysql/mysql/proc.MYI /var/lib/mysql/mysql/proc.MYD /var/lib/mysql/client3@002enet_webmail/dictionary.ibd /var/lib/mysql/client3@002enet_webmail/searches.ibd /var/lib/mysql/client3@002enet_webmail/system.ibd /var/lib/mysql/mysql/func.MYI /var/lib/mysql/mysql/func.MYD /var/lib/mysql/mysql/general_log.CSM /var/lib/mysql/mysql/general_log.CSV /var/lib/mysql/mysql/help_category.MYI /var/lib/mysql/mysql/help_category.MYD /var/lib/mysql/mysql/help_keyword.MYI /var/lib/mysql/mysql/help_keyword.MYD /var/lib/mysql/mysql/help_relation.MYI /var/lib/mysql/mysql/help_relation.MYD /var/lib/mysql/mysql/help_topic.MYI /var/lib/mysql/mysql/help_topic.MYD /var/lib/mysql/mysql/ndb_binlog_index.MYI /var/lib/mysql/mysql/ndb_binlog_index.MYD /var/lib/mysql/mysql/plugin.MYI /var/lib/mysql/mysql/plugin.MYD /var/lib/mysql/mysql/slow_log.CSM /var/lib/mysql/mysql/slow_log.CSV /var/lib/mysql/mysql/time_zone.MYI /var/lib/mysql/mysql/time_zone.MYD /var/lib/mysql/mysql/time_zone_leap_second.MYI /var/lib/mysql/mysql/time_zone_leap_second.MYD /var/lib/mysql/mysql/time_zone_name.MYI /var/lib/mysql/mysql/time_zone_name.MYD /var/lib/mysql/mysql/time_zone_transition.MYI /var/lib/mysql/mysql/time_zone_transition.MYD /var/lib/mysql/mysql/time_zone_transition_type.MYI /var/lib/mysql/mysql/time_zone_transition_type.MYD /var/lib/mysql/client2@002ebe_webmail/cache.ibd /var/lib/mysql/client2@002ebe_webmail/cache_index.ibd /var/lib/mysql/client2@002ebe_webmail/cache_messages.ibd /var/lib/mysql/client2@002ebe_webmail/cache_shared.ibd /var/lib/mysql/client2@002ebe_webmail/cache_thread.ibd /var/lib/mysql/client2@002ebe_webmail/contactgroupmembers.ibd /var/lib/mysql/client2@002ebe_webmail/contactgroups.ibd /var/lib/mysql/client2@002ebe_webmail/contacts.ibd /var/lib/mysql/client2@002ebe_webmail/dictionary.ibd /var/lib/mysql/client2@002ebe_webmail/identities.ibd /var/lib/mysql/client2@002ebe_webmail/searches.ibd /var/lib/mysql/client2@002ebe_webmail/session.ibd /var/lib/mysql/client2@002ebe_webmail/system.ibd ...
Please tell me that I can safely ignore these e-mails?
Howdy,
While I'm not familiar with CFS and the emails it sends, at first glance, those all appear normal.
One is Apache, with a number of open Apache log files, and the other is MySQL, with a series of databases open.
Are you experiencing a problem of any sort though?
-Eric
Hey Eric,
Thanks for your quick answer. I do not note any other suspicious behaviour. Any other then the about 600 e-mails per day of these issues cfs is reporting.
I will have a look to change the intensity that cfs is scanning with ...