Results 1 to 2 of 2
  1. 13-05-2009, 20:01 #1
    vivaciti
    vivaciti is offline Member
    Join Date
    May 2008
    Posts
    85

    Default Strange warning emails

    Hi,
    We have just moved over to a dedicated from a semi, and on the new server we are starting to see a largish number of emails, there are 2 per customers account.
    The first has the subject line:lfd on host.*****.net: Suspicious process running under user **customer account name*****

    and the email is:
    Time: Wed May 13 16:35:45 2009 +0100
    Account: **OUR CUSTOMERS ACCOUNT NAME**
    Resource: Process Time
    Exceeded: 25286 > 1800 (seconds)
    Executable: /usr/bin/perl
    Command Line: spamd child
    PID: 11365
    Killed: No


    And the second has the subject line:lfd on host.****.net: Excessive resource usage: ***customer account name*** (11365)
    The first part of the body of the message (the rest seems to be memory maps)

    Time: Wed May 13 16:35:45 2009 +0100
    PID: 11365
    Account: ***CUSTOMERS ACCOUNT NAME**
    Uptime: 25286 seconds


    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:40411
    udp: 78.129.xxx.xxx:54242 -> 87.117.198.200:53


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm

    Now we brought this up with dedicated support and the first responce was "They are sending our spam, block their account and email them over" and when we tried to explain that is was not just one or two accounts we got a different reply.

    Anyway, looking at the second email this looks like a DNS look up on port 53 and seems to be spamassasign so email dns lookup??

    Any ideas?
    Reply With Quote Reply With Quote
  2. 13-05-2009, 20:32 #2
    AlexP's Avatar
    AlexP
    AlexP is offline System Administrator.(eUKhost.com)
    Send a message via MSN to AlexP Send a message via Skype™ to AlexP
    Join Date
    Apr 2007
    Posts
    426

    Default

    Hello vivaciti,

    There were two accounts sending spam emails on your server, due to which you received such alert emails. You have enabled "suspicious process" tracking option in CSF configuration. This option enables tracking of user and nobody processes and examines them for suspicious executables or open network ports. Its purpose is to identify potential exploit processes that are running on the server, even if they are obfuscated to appear as system services. If a suspicious process is found an alert email is sent with relevant information.

    I have replied to your old ticket with full logs, kindly please check and get back to us in the same ticket if you have any further queries.
    Thanks and Regards,
    Alex Parker
    Senior System Administrator.
    Dedicated Hosting || Semi Dedicated Hosting|Disaster Recovery Solutions
    EMAIL:alex @ eukhost.com
    MSN: alex @ eukhost.com
    SKYPE: euk_alexp
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules