Find the answer to your Linux question:
Results 1 to 7 of 7
Hi I'm new to Linux and have an CentOS server installed under VMWare. I get an email from the server every hour about the below. And I have no clue ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3

    Suspicious process running under user nobody


    Hi

    I'm new to Linux and have an CentOS server installed under VMWare.

    I get an email from the server every hour about the below.

    And I have no clue if this process should be there and if it should how to turn those mails off.

    Can anyone here help me?

    Time: Wed Sep 3 05:56:25 2008 +0200
    PID: 3319
    Account: nobody
    Uptime: 2138684 seconds


    Executable:

    /usr/sbin/dnsmasq


    Command Line (often faked in exploits):

    /usr/sbin/dnsmasq --keep-in-foreground --strict-order --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1 --except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range 192.168.122.2,192.168.122.254


    Network connections by the process (if any):

    udp: 0.0.0.0:32778 -> 0.0.0.0:0
    tcp: 192.168.122.1:53 -> 0.0.0.0:0
    udp: 192.168.122.1:53 -> 0.0.0.0:0
    udp: 0.0.0.0:67 -> 0.0.0.0:0


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /var/lib/libvirt/dhcp-default.leases


    Memory maps by the process (if any):

    00280000-003c0000 r-xp 00000000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
    003c0000-003c2000 r--p 00140000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
    003c2000-003c3000 rw-p 00142000 fd:00 2164248 /lib/i686/nosegneg/libc-2.5.so
    003c3000-003c6000 rw-p 003c3000 00:00 0
    006c1000-006db000 r-xp 00000000 fd:00 2162704 /lib/ld-2.5.so
    006db000-006dc000 r--p 00019000 fd:00 2162704 /lib/ld-2.5.so
    006dc000-006dd000 rw-p 0001a000 fd:00 2162704 /lib/ld-2.5.so
    00866000-00867000 r-xp 00866000 00:00 0 [vdso]
    00ac7000-00ad0000 r-xp 00000000 fd:00 2164199 /lib/libnss_files-2.5.so
    00ad0000-00ad1000 r--p 00008000 fd:00 2164199 /lib/libnss_files-2.5.so
    00ad1000-00ad2000 rw-p 00009000 fd:00 2164199 /lib/libnss_files-2.5.so
    08048000-08067000 r-xp 00000000 fd:00 3732889 /usr/sbin/dnsmasq
    08067000-08069000 rw-p 0001e000 fd:00 3732889 /usr/sbin/dnsmasq
    09272000-09293000 rw-p 09272000 00:00 0
    b7fdd000-b7fde000 rw-p b7fdd000 00:00 0
    b7ff6000-b7ff8000 rw-p b7ff6000 00:00 0
    bf9fd000-bfa12000 rw-p bf9fd000 00:00 0 [stack]

  2. #2
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    hi,

    Nobody is the file ownership that is set to an php file for mailing ...
    such as an form that you fill on a website has an nobody ownership...its better to deny access to nobody coz they can spam form your account ...do you use any control panel ..such as cpanel,plesk,or ensim ?

    check tail -f on your maillog
    try this
    ps -U nobody -u nobody
    check the crons ...
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3

    suspicous proces

    Hi,

    Thx for replying

    Okay, i have an oscommerce shop on the server that uses nobody to send out mails.. could it be that?

    I don't know where to find my mail log or what to look for.

    This is what happend when i wrote the ps command

    PID TTY TIME CMD
    1176 ? 00:03:22 httpd
    1303 ? 00:03:16 httpd
    3319 ? 00:00:00 dnsmasq
    11733 ? 00:02:10 httpd
    30474 ? 00:00:22 httpd
    30923 ? 00:00:20 httpd
    30924 ? 00:00:19 httpd
    30964 ? 00:00:20 httpd
    31004 ? 00:00:20 httpd
    31007 ? 00:00:20 httpd
    31666 ? 00:00:17 httpd
    I have cPanel on server

  4. #4
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    hey,


    check the tail -f /var/log/exim_mainlog | grep nobody

    If some of your accounts use nobody just do this

    try this WHM -> tweak sttings->
    Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)
    -> enable this to stop nobody sending emails.
    and check weather you get the mails , But your oscommerce shop will also
    fail while this option is enabled ...
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  5. #5
    Just Joined!
    Join Date
    Sep 2008
    Posts
    3

    still no joy on suspicious proces...

    Hi

    Thanks for your answer.

    I'm on osx and opened up a terminal, but damn if could'nt find the pipe symbol on my keyboard. If anyone knows where that is located i would like to know.

    I copy pasted your command and got the following response

    ---
    tail: -f option only appropriate for a single file
    [Proces afbrudt - kode 1]
    ---

    huh?

    so what now?

    kindly,

    Hakabus

  6. #6
    Linux Newbie
    Join Date
    Apr 2008
    Location
    India
    Posts
    170
    just try tail -f /var/log/exim_mainlog

    and check that any mails are not allowed because of nobody didabled in whm tweak settings.

    Did you get any mails after you disabled nobody in WHM
    Regards
    David Anand
    -->Success is the list of failures ...!!!

  7. #7
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    Quote Originally Posted by hakabus View Post
    Hi
    I'm on osx and opened up a terminal, but damn if could'nt find the pipe symbol on my keyboard. If anyone knows where that is located i would like to know.
    shift-\

    right under the 'delete' key. I think its always there, at least on every keyboard I've seen in the US. if you're using a non-US keymapping, it might be somewhere else.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •