ldf suspicious process

Morley · Jan 9, 2009

Today I received this message and I am not sure if it was an attempted email attack or spamd or spamassasin went crazy. Can anyone tell me what this looks like?
__________________________________
Time: Fri Jan 9 13:19:13 2009 -0800
PID: 22606
Account: magic
Uptime: 53530 seconds

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

spamd child

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:42200

Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
/home/magic/.spamassassin/bayes_toks
/home/magic/.spamassassin/bayes_seen

Memory maps by the process (if any):

00111000-0011a000 r-xp 00000000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
0011a000-0011b000 rwxp 00008000 03:02 806963 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/HTML/Parser/Parser.so
0011b000-0014a000 r-xp 00000000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
0014a000-0014b000 rwxp 0002e000 03:03 870679 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
001b3000-001b6000 r-xp 00000000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
001b6000-001b7000 rwxp 00002000 03:02 723838 /usr/lib/perl5/5.8.8/i686-linux/auto/File/Glob/Glob.so
001b7000-00283000 r-xp 00000000 03:05 311452 /lib/tls/i686/libdb-4.2.so
00283000-00285000 rwxp 000cc000 03:05 311452 /lib/tls/i686/libdb-4.2.so
00366000-00369000 r-xp 00000000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
00369000-0036a000 rwxp 00002000 03:02 822220 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/BSD/Resource/Resource.so
00376000-00378000 r-xp 00000000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
00378000-00379000 rwxp 00001000 03:02 724135 /usr/lib/perl5/5.8.8/i686-linux/auto/MIME/Base64/Base64.so
003ef000-003f1000 r-xp 00000000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
003f1000-003f2000 rwxp 00001000 03:02 725200 /usr/lib/perl5/5.8.8/i686-linux/auto/Cwd/Cwd.so
00427000-00431000 r-xp 00000000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
00431000-00432000 rwxp 00009000 03:02 723896 /usr/lib/perl5/5.8.8/i686-linux/auto/DB_File/DB_File.so
0052a000-0052e000 r-xp 00000000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
0052e000-0052f000 rwxp 00003000 03:02 837549 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/NetAddr/IP/Util/Util.so
00537000-0053c000 r-xp 00000000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
0053c000-0053d000 rwxp 00004000 03:02 725303 /usr/lib/perl5/5.8.8/i686-linux/auto/Time/HiRes/HiRes.so
006c5000-006db000 r-xp 00000000 03:05 311416 /lib/ld-2.3.4.so
006db000-006dc000 r-xp 00015000 03:05 311416 /lib/ld-2.3.4.so
006dc000-006dd000 rwxp 00016000 03:05 311416 /lib/ld-2.3.4.so
006df000-00808000 r-xp 00000000 03:05 311433 /lib/tls/libc-2.3.4.so
00808000-0080a000 r-xp 00128000 03:05 311433 /lib/tls/libc-2.3.4.so
0080a000-0080c000 rwxp 0012a000 03:05 311433 /lib/tls/libc-2.3.4.so
0080c000-0080e000 rwxp 0080c000 00:00 0
00810000-00812000 r-xp 00000000 03:05 311456 /lib/libdl-2.3.4.so
00812000-00813000 r-xp 00001000 03:05 311456 /lib/libdl-2.3.4.so
00813000-00814000 rwxp 00002000 03:05 311456 /lib/libdl-2.3.4.so
00816000-00837000 r-xp 00000000 03:05 311461 /lib/tls/libm-2.3.4.so
00837000-00838000 r-xp 00020000 03:05 311461 /lib/tls/libm-2.3.4.so
00838000-00839000 rwxp 00021000 03:05 311461 /lib/tls/libm-2.3.4.so
0084d000-0085b000 r-xp 00000000 03:05 311447 /lib/tls/libpthread-2.3.4.so
0085b000-0085c000 r-xp 0000d000 03:05 311447 /lib/tls/libpthread-2.3.4.so
0085c000-0085d000 rwxp 0000e000 03:05 311447 /lib/tls/libpthread-2.3.4.so
0085d000-0085f000 rwxp 0085d000 00:00 0
00861000-00869000 r-xp 00000000 03:05 311513 /lib/libcrypt-2.3.4.so
00869000-0086a000 r-xp 00007000 03:05 311513 /lib/libcrypt-2.3.4.so
0086a000-0086b000 rwxp 00008000 03:05 311513 /lib/libcrypt-2.3.4.so
0086b000-00892000 rwxp 0086b000 00:00 0
00894000-008a7000 r-xp 00000000 03:05 311498 /lib/libnsl-2.3.4.so
008a7000-008a8000 r-xp 00012000 03:05 311498 /lib/libnsl-2.3.4.so
008a8000-008a9000 rwxp 00013000 03:05 311498 /lib/libnsl-2.3.4.so
008a9000-008ab000 rwxp 008a9000 00:00 0
00914000-00917000 r-xp 00000000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
00917000-00918000 rwxp 00002000 03:02 724144 /usr/lib/perl5/5.8.8/i686-linux/auto/Sys/Syslog/Syslog.so
009df000-009e4000 r-xp 00000000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
009e4000-009e5000 rwxp 00004000 03:02 724519 /usr/lib/perl5/5.8.8/i686-linux/auto/List/Util/Util.so
00a24000-00a28000 r-xp 00000000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
00a28000-00a29000 rwxp 00003000 03:02 725305 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/version/vxs/vxs.so
00aaa000-00ab3000 r-xp 00000000 03:05 311367 /lib/libnss_files-2.3.4.so
00ab3000-00ab4000 r-xp 00008000 03:05 311367 /lib/libnss_files-2.3.4.so
00ab4000-00ab5000 rwxp 00009000 03:05 311367 /lib/libnss_files-2.3.4.so
00b75000-00b77000 r-xp 00000000 03:05 311520 /lib/libutil-2.3.4.so
00b77000-00b78000 r-xp 00001000 03:05 311520 /lib/libutil-2.3.4.so
00b78000-00b79000 rwxp 00002000 03:05 311520 /lib/libutil-2.3.4.so
00c3e000-00c41000 r-xp 00000000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
00c41000-00c42000 rwxp 00002000 03:02 723872 /usr/lib/perl5/5.8.8/i686-linux/auto/Fcntl/Fcntl.so
00c66000-00c6e000 r-xp 00000000 03:05 311462 /lib/tls/librt-2.3.4.so
00c6e000-00c6f000 r-xp 00007000 03:05 311462 /lib/tls/librt-2.3.4.so
00c6f000-00c70000 rwxp 00008000 03:05 311462 /lib/tls/librt-2.3.4.so
00c70000-00c7a000 rwxp 00c70000 00:00 0
00cf7000-00cfb000 r-xp 00000000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
00cfb000-00cfc000 rwxp 00003000 03:02 820844 /usr/lib/perl5/site_perl/5.8.7/i686-linux/auto/Digest/SHA1/SHA1.so
00d4a000-00d60000 r-xp 00000000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
00d60000-00d61000 rwxp 00015000 03:02 723971 /usr/lib/perl5/5.8.8/i686-linux/auto/POSIX/POSIX.so
00e3c000-00e40000 r-xp 00000000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
00e40000-00e41000 rwxp 00003000 03:02 723966 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
00efc000-00efe000 r-xp 00000000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
00efe000-00eff000 rwxp 00001000 03:02 822172 /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Net/DNS/DNS.so
00faf000-00fb2000 r-xp 00000000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
00fb2000-00fb3000 rwxp 00002000 03:02 723878 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
08047000-08115000 r-xp 00000000 03:02 1100988 /usr/bin/perl
08115000-0811e000 rw-p 000ce000 03:02 1100988 /usr/bin/perl
0811e000-08120000 rw-p 0811e000 00:00 0
09b49000-0ba18000 rw-p 09b49000 00:00 0
b7d98000-b7e4a000 rw-p b7d98000 00:00 0
b7e6e000-b7eb3000 rw-p b7e6e000 00:00 0
b7eb3000-b7ee7000 rw-p b7f73000 00:00 0
b7f21000-b7f69000 rw-p b7f21000 00:00 0
b7f69000-b7f9d000 rw-p b7f9d000 00:00 0
b7fc9000-b7fcc000 rw-p b7fc9000 00:00 0
bfebd000-c0000000 rw-p bfebd000 00:00 0
ffffe000-fffff000 r-xp 00000000 00:00 0

BMCK · Jan 9, 2009

I received the same messages today...

Infopro · Jan 9, 2009

Wrong forum, try here.

rharvey32 · Jan 10, 2009

ldf fix for spamd and awstats.pl

this is what I did and it fixed it.
choose firewall
choose ldf process ignore.

then add these to your list.

exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
exe:/usr/bin/perl cmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats.pl
cmd:/usr/local/cpanel/bin/logrunner 3.0 /usr/local/cpanel/3rdparty/bin/awstats.pl
cmd:spamd child
exe:/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm

Thread starter	Similar threads	Forum	Replies	Date
3	RKhunter - Warning: Suspicious file types found in /dev:	Security	3	Jun 19, 2023
J	ldf excessive resource usage	Security	1	May 2, 2023
	lfd - Suspicious process running under user nobody	Security	5	Oct 27, 2022
	LFD - Suspicious process running under user postgres	Security	7	May 30, 2022
J	lfd on server.com: Suspicious process running under user username	Security	6	May 2, 2022

Search

Search

ldf suspicious process

Morley

Well-Known Member

BMCK

Member

Infopro

Well-Known Member

rharvey32

Member