Help - Search - Members - Calendar
Full Version: NoBody Check Help
The Planet Forums > Security > General Security
goldshop
Feb 5 2008, 08:22 PM
Nobody Check detected a malicious process can anyone tells me how to remove it? Thanks

WHM 11.15.0 cPanel 11.17.0-S19434
REDHAT Enterprise 4 i686 on standard - WHM X v3.1.0


Clean Processes: 19
DETECTED Malicious Processes: 1


DETECTION DETAILS
========================================



DETECTION: Process 3200 with name perl and path /usr/bin/perl


Process ID: 3200 has been killed
Restuls for PID: 3200
total 0
dr-xr-xr-x 3 nobody nobody 0 Feb 5 18:04 .
dr-xr-xr-x 205 root root 0 Feb 12 2007 ..
dr-xr-xr-x 2 nobody nobody 0 Feb 5 19:00 attr
-r-------- 1 nobody nobody 0 Feb 5 19:00 auxv
-r--r--r-- 1 nobody nobody 0 Feb 5 18:45 cmdline
lrwxrwxrwx 1 nobody nobody 0 Feb 5 19:00 cwd -> /
-r-------- 1 nobody nobody 0 Feb 5 19:00 environ
lrwxrwxrwx 1 nobody nobody 0 Feb 5 18:50 exe -> /usr/bin/perl
dr-x------ 2 nobody nobody 0 Feb 5 19:00 fd
-rw-r--r-- 1 nobody nobody 0 Feb 5 19:00 loginuid
-r-------- 1 nobody nobody 0 Feb 5 19:00 maps
-rw------- 1 nobody nobody 0 Feb 5 19:00 mem
-r--r--r-- 1 nobody nobody 0 Feb 5 19:00 mounts
lrwxrwxrwx 1 nobody nobody 0 Feb 5 19:00 root -> /
-r--r--r-- 1 nobody nobody 0 Feb 5 18:45 stat
-r--r--r-- 1 nobody nobody 0 Feb 5 18:50 statm
-r--r--r-- 1 nobody nobody 0 Feb 5 18:45 status
dr-xr-xr-x 3 nobody nobody 0 Feb 5 19:00 task
-r--r--r-- 1 nobody nobody 0 Feb 5 19:00 wchan

Netstat:
tcp 0 1 207.44.176.118:53907 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53893 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53894 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53902 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53840 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53855 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53849 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53848 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53850 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53827 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53826 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53839 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53832 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53885 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53884 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53856 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53868 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53781 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53789 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53815 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53814 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53795 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53806 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53726 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53727 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53750 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53751 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53734 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 1 207.44.176.118:53741 212.36.74.200:80
SYN_SENT 3200/httpd
tcp 0 0 207.44.176.118:53897 207.44.176.118:53
ESTABLISHED 3200/httpd
unix 2 [ ] STREAM CONNECTED 1127302133 3200/httpd


Environ:
SuperBaby
Feb 8 2008, 12:59 PM
False alarm. I see such false alarm very often after changing my server from RH9 ot RHEL5.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.