1
Can anyone shed any light on the following as my host asked me if this was a legit part of my site
Subject: lfd: Suspicious process running under user ******
Time: Wed Oct 25 16:48:17 2006
PID: 13262
Account: ******
Uptime: 32 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php loadpage.php
Network connections by the process (if any):
tcp: 209.124.81.18:56974 -> 70.86.154.194:80
Files open by the process (if any):
/usr/local/apache/logs/error_log
Memory maps by the process (if any):
08048000-0817b000 r-xp 00000000 03:02 33335 /usr/bin/php
0817b000-081ab000 rw-p 00133000 03:02 33335 /usr/bin/php
081ab000-08b91000 rwxp 00000000 00:00 0
40000000-40012000 r-xp 00000000 03:07 16062 /lib/ld-2.3.2.so
40012000-40013000 rw-p 00011000 03:07 16062 /lib/ld-2.3.2.so
40013000-40014000 rw-p 00000000 00:00 0
4001b000-400c4000 r-xp 00000000 03:02 65025 /usr/lib/libstdc++.so.5.0.3
400c4000-400c9000 rw-p 000a9000 03:02 65025 /usr/lib/libstdc++.so.5.0.3
400c9000-400ce000 rw-p 00000000 00:00 0
400ce000-400d2000 r-xp 00000000 03:07 15982 /lib/libcrypt-2.3.2.so
400d2000-400d3000 rw-p 00003000 03:07 15982 /lib/libcrypt-2.3.2.so
400d3000-400fa000 rw-p 00000000 00:00 0
400fa000-401ba000 r-xp 00000000 03:02 67926
/usr/lib/libmysqlclient.so.15.0.0
401ba000-402ca000 rw-p 000bf000 03:02 67926
/usr/lib/libmysqlclient.so.15.0.0
402ca000-40316000 r-xp 00000000 03:02 66262
/usr/lib/libfreetype.so.6.3.2
40316000-4031a000 rw-p 0004c000 03:02 66262
/usr/lib/libfreetype.so.6.3.2
4031a000-4031b000 rw-p 00000000 00:00 0
4031b000-403f7000 r-xp 00000000 03:02 243634
/usr/X11R6/lib/libX11.so.6.2
403f7000-403fa000 rw-p 000db000 03:02 243634
/usr/X11R6/lib/libX11.so.6.2
403fa000-403fb000 rw-p 00000000 00:00 0
403fb000-4040a000 r-xp 00000000 03:02 243660
/usr/X11R6/lib/libXpm.so.4.11
4040a000-4040b000 rw-p 0000e000 03:02 243660
/usr/X11R6/lib/libXpm.so.4.11
4040b000-4042d000 r-xp 00000000 03:02 66270
/usr/lib/libpng12.so.0.1.2.2
4042d000-4042e000 rw-p 00022000 03:02 66270
/usr/lib/libpng12.so.0.1.2.2
4042e000-4043a000 r-xp 00000000 03:02 64985 /usr/lib/libz.so.1.1.4
4043a000-4043c000 rw-p 0000b000 03:02 64985 /usr/lib/libz.so.1.1.4
4043c000-40459000 r-xp 00000000 03:02 66269 /usr/lib/libjpeg.so.62.0.0
40459000-4045a000 rw-p 0001d000 03:02 66269 /usr/lib/libjpeg.so.62.0.0
4045a000-40467000 r-xp 00000000 03:07 16004 /lib/libresolv-2.3.2.so
40467000-40468000 rw-p 0000d000 03:07 16004 /lib/libresolv-2.3.2.so
40468000-4046a000 rw-p 00000000 00:00 0
4046a000-4048a000 r-xp 00000000 03:07 17044 /lib/libm-2.3.2.so
4048a000-4048b000 rw-p 00020000 03:07 17044 /lib/libm-2.3.2.so
4048b000-4048c000 rw-p 00000000 00:00 0
4048c000-4048e000 r-xp 00000000 03:07 17037 /lib/libdl-2.3.2.so
4048e000-4048f000 rw-p 00002000 03:07 17037 /lib/libdl-2.3.2.so
4048f000-4049f000 r-xp 00000000 03:07 15988 /lib/libnsl-2.3.2.so
4049f000-404a0000 rw-p 00010000 03:07 15988 /lib/libnsl-2.3.2.so
404a0000-404a2000 rw-p 00000000 00:00 0
404a2000-405c3000 r-xp 00000000 03:07 15980 /lib/libc-2.3.2.so
405c3000-405c7000 rw-p 00120000 03:07 15980 /lib/libc-2.3.2.so
405c7000-405c9000 rw-p 00000000 00:00 0
405c9000-405d0000 r-xp 00000000 03:07 16045
/lib/libgcc_s-3.2.2-20030225.so.1
405d0000-405d1000 rw-p 00007000 03:07 16045
/lib/libgcc_s-3.2.2-20030225.so.1
405d1000-405df000 r-xp 00000000 03:07 16002 /lib/libpthread-0.10.so
405df000-405e2000 rw-p 0000e000 03:07 16002 /lib/libpthread-0.10.so
405e2000-40622000 rw-p 00000000 00:00 0
40622000-4062f000 r-xp 00000000 03:02 243644
/usr/X11R6/lib/libXext.so.6.4
4062f000-40630000 rw-p 0000c000 03:02 243644
/usr/X11R6/lib/libXext.so.6.4
40630000-40631000 rw-p 00000000 00:00 0
40631000-4063b000 r-xp 00000000 03:07 17059 /lib/libnss_files-2.3.2.so
4063b000-4063c000 rw-p 00009000 03:07 17059 /lib/libnss_files-2.3.2.so
4063c000-40680000 rw-p 00000000 00:00 0
40680000-40683000 r-xp 00000000 03:07 15993 /lib/libnss_dns-2.3.2.so
40683000-40684000 rw-p 00002000 03:07 15993 /lib/libnss_dns-2.3.2.so
bffdf000-c0000000 rwxp fffe0000 00:00 0