Suspicious process running under user nobody

[hakabus]

Hi

I'm new to Linux and have an CentOS server installed under VMWare.

I get an email from the server every hour about the below.

And I have no clue if this process should be there and if it should how to turn those mails off.

Can anyone here help me?

Time: Wed Sep 3 05:56:25 2008 +0200
PID: 3319
Account: nobody
Uptime: 2138684 seconds


Executable:

/usr/sbin/dnsmasq


Command Line (often faked in exploits):

/usr/sbin/dnsmasq --keep-in-foreground --strict-order --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1 --except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range 192.168.122.2,192.168.122.254


Network connections by the process (if any):

udp: 0.0.0.0:32778 -> 0.0.0.0:0
tcp: 192.168.122.1:53 -> 0.0.0.0:0
udp: 192.168.122.1:53 -> 0.0.0.0:0
udp: 0.0.0.0:67 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/var/lib/libvirt/dhcp-default.leases


Memory maps by the process (if any):

00280000-003c0000 r-xp 00000000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
003c0000-003c2000 r--p 00140000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
003c2000-003c3000 rw-p 00142000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
003c3000-003c6000 rw-p 003c3000 00:00 0
006c1000-006db000 r-xp 00000000 fd:00 2162704 /lib/ld-2.5.so
006db000-006dc000 r--p 00019000 fd:00 2162704 /lib/ld-2.5.so
006dc000-006dd000 rw-p 0001a000 fd:00 2162704 /lib/ld-2.5.so
00866000-00867000 r-xp 00866000 00:00 0 [vdso]
00ac7000-00ad0000 r-xp 00000000 fd:00 2164199 /lib/libnss_files-2.5.so
00ad0000-00ad1000 r--p 00008000 fd:00 2164199 /lib/libnss_files-2.5.so
00ad1000-00ad2000 rw-p 00009000 fd:00 2164199 /lib/libnss_files-2.5.so
08048000-08067000 r-xp 00000000 fd:00 3732889 /usr/sbin/dnsmasq
08067000-08069000 rw-p 0001e000 fd:00 3732889 /usr/sbin/dnsmasq
09272000-09293000 rw-p 09272000 00:00 0
b7fdd000-b7fde000 rw-p b7fdd000 00:00 0
b7ff6000-b7ff8000 rw-p b7ff6000 00:00 0
bf9fd000-bfa12000 rw-p bf9fd000 00:00 0 [stack]

[davidanand]

hi,

Nobody is the file ownership that is set to an php file for mailing ...
such as an form that you fill on a website has an nobody ownership...its better to deny access to nobody coz they can spam form your account ...do you use any control panel ..such as cpanel,plesk,or ensim ?

check tail -f on your maillog
try this
ps -U nobody -u nobody
check the crons ...

[hakabus]

Hi,

Thx for replying

Okay, i have an oscommerce shop on the server that uses nobody to send out mails.. could it be that?

I don't know where to find my mail log or what to look for.

This is what happend when i wrote the ps command

PID TTY TIME CMD
1176 ? 00:03:22 httpd
1303 ? 00:03:16 httpd
3319 ? 00:00:00 dnsmasq
11733 ? 00:02:10 httpd
30474 ? 00:00:22 httpd
30923 ? 00:00:20 httpd
30924 ? 00:00:19 httpd
30964 ? 00:00:20 httpd
31004 ? 00:00:20 httpd
31007 ? 00:00:20 httpd
31666 ? 00:00:17 httpd

I have cPanel on server

[davidanand]

hey,


check the tail -f /var/log/exim_mainlog | grep nobody

If some of your accounts use nobody just do this

try this WHM -> tweak sttings->
Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)
-> enable this to stop nobody sending emails.
and check weather you get the mails , But your oscommerce shop will also
fail while this option is enabled ...

[hakabus]

Hi

Thanks for your answer.

I'm on osx and opened up a terminal, but damn if could'nt find the pipe symbol on my keyboard. If anyone knows where that is located i would like to know.

I copy pasted your command and got the following response

---
tail: -f option only appropriate for a single file
[Proces afbrudt - kode 1]
---

huh?

so what now?

kindly,

Hakabus

[davidanand]

just try tail -f /var/log/exim_mainlog

and check that any mails are not allowed because of nobody didabled in whm tweak settings.

Did you get any mails after you disabled nobody in WHM

[NeoIce]

Hi
I'm on osx and opened up a terminal, but damn if could'nt find the pipe symbol on my keyboard. If anyone knows where that is located i would like to know.

shift-\

right under the 'delete' key. I think its always there, at least on every keyboard I've seen in the US. if you're using a non-US keymapping, it might be somewhere else.