Dicko_md Posted July 16, 2013 Share Posted July 16, 2013 Hi I wonder if you can help. I have taken over a webhosting company and since I have taken over I have had the blackhole exploit malware which I have fixed and now I have had over 3,000 emails sent from nobody@server1.mydomain.co.uk I have substituted the cpanel logon name with USER also. Is this releated to the blackhole exploit or something separate and if it can be fixed....... how as I am still finding my feet. Thanks in Advance Martyn This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: nobody@server1.mydomain.co.uk retry timeout exceeded ------ This is a copy of the message, including all the headers. ------ Return-path: <root@server1.mydomain.co.uk> Received: from root by server1.mydomain.co.uk with local (Exim 4.80.1) (envelope-from <root@server1.mydomain.co.uk>) id 1UzCGh-000657-7g for nobody@server1.mydomain.co.uk; Tue, 16 Jul 2013 21:54:44 +0100 To: nobody@server1.mydomain.co.uk Subject: lfd on server1.mydomain.co.uk: LOCALRELAY Alert for eclipse2 From: <root@server1.mydomain.co.uk> Message-Id: <E1UzCGh-000657-7g@server1.mydomain.co.uk> Date: Tue, 16 Jul 2013 21:54:43 +0100 Time: Tue Jul 16 21:54:43 2013 +0100 Type: LOCALRELAY, Local Account - eclipse2 Count: 101 emails relayed Blocked: No Sample of the first 10 emails: 2013-07-16 21:53:25 1UzCFP-0005jj-LE <= USER@server1.mydomain.co.uk U=USER P=local S=1143 id=hlvhlej@wkoy.nmzy T="=?utf-8?B?0JfQsNC50LzRg9GB0Ywg0L/QvtC40YHQutC+0Lwg0LfQsNC60LDQt9GH0LjQutC+0LI=?=" for murrmyau@mail.ru 2013-07-16 21:53:26 1UzCFQ-0005jx-Ev <= USER@server1.mydomain.co.uk U=USER P=local S=1094 id=diaopfa@uqfx.difn T="\320\240 \320\220 \320\241 C \320\253 \320\233 K \320\230" for pearppap@gmail.com 2013-07-16 21:53:26 1UzCFQ-0005k1-Gr <= USER@server1.mydomain.co.uk U=USER P=local S=1159 id=abkcagy@ishe.cvqi T="=?utf-8?B?0JfQsNC50LzRg9GB0Ywg0L/QvtC40YHQutC+0Lwg0LfQsNC60LDQt9GH0LjQutC+0LI=?=" for murmansk@rosteck.ru 2013-07-16 21:53:26 1UzCFR-0005kF-34 <= USER@server1.mydomain.co.uk U=USER P=local S=1130 id=kizucvx@bwoh.kmvu T="\320\235\320\260\320\271\320\264\321\203 \320\272\320\273\320\270\320\265\320\275\321\202\3 20\276\320\262 \320\264\320\273\321\217 \320\222\320\260\321\201" for murrnong@yandex.ru 2013-07-16 21:53:26 1UzCFS-0005kg-4T <= USER@server1.mydomain.co.uk U=USER P=local S=1133 id=bpxtsrv@yglc.hvkz T="=?utf-8?B?0KMg0L3QsNGBINC+0LHQvdC+0LLQu9C10L3RiyDQsNC00Y DQtdGB0LAg0L/QvtC70YzQt9C+0LLQsNGC0LXQu9C10L" for pearremepbitt@nimail.com 2013-07-16 21:53:27 1UzCFS-0005ko-GR <= USER@server1.mydomain.co.uk U=USER P=local S=1166 id=apzzwoz@vson.laqg T="=?utf-8?B?0JfQsNC50LzRg9GB0Ywg0L/QvtC40YHQutC+0Lwg0L/QvtC60YPQv9Cw0YLQtdC70LXQuQ==?=" for murrochka-26@list.ru 2013-07-16 21:53:30 1UzCFS-0005kn-Hg <= USER@server1.mydomain.co.uk U=USER P=local S=1145 id=tbxdywd@xjxe.viez T="=?utf-8?B?0JrQu9C40LXQvdGC0Ysg0LTQu9GPINCS0LDRiNC10LPQvi DQsdC40LfQvdC10YHQsA==?=" for murmansk@rostekn-w.ru 2013-07-16 21:53:31 1UzCFS-0005lE-VI <= USER@server1.mydomain.co.uk U=USER P=local S=1166 id=qrgoepp@fwqu.ltwb T="k\320\273\320\270e\320\275\321\202\321\213 o\321\207e\320\275\321\214 \320\275y\320\266\320\275\321\213" for pearreuff@gmail.com 2013-07-16 21:53:31 1UzCFW-0005ly-Cx <= USER@server1.mydomain.co.uk U=USER P=local S=1189 id=tsgvfqt@jjos.menm T="=?utf-8?B?0J/QvtC40YHQuiDQutC70LjQtdC90YLQvtCyINC00LvRjyDQktCw0 YjQtdCz0L4g0LHQuNC30L3QtdGB0LA=?=" for murmansk@rsn51.ru 2013-07-16 21:53:31 1UzCFT-0005li-T3 <= USER@server1.mydomain.co.uk U=USER P=local S=1177 id=wjxkvrz@qkmr.uyvu T="=?utf-8?B?0JLQvtC30YzQvNGDINC90LAg0YHQtdCx0Y8g0L/QvtC40YHQuiDQv9C+0LrRg9C/0LDRgtC10LvQtdC5?=" for murroubsist@mail.ru 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 16, 2013 Share Posted July 16, 2013 look at the accoutn eclipse2, change the cpanel pass then look at any files that are uploaded to the public_html area. Is it a cpanel server? - - - Updated - - - If using cpanel server check the following :- In root whm, goto tweek settings > mail > look for prevent “nobody” from sending email is on. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS Chris Posted July 16, 2013 Share Posted July 16, 2013 If using cpanel server check the following :- In root whm, goto tweek settings > mail > look for prevent “nobody” from sending email is on. If you disable nobody from sending email, please ensure that you are using the SMTP mail option to email your clients in WHMCS as WHM will block WHMCS from sending mail with that option enabled. 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 17, 2013 Author Share Posted July 17, 2013 Hi Thanks will reset the password. I tried changing the nobody@ option but that didn't work. I'll try again when I change eclipse 2 password I'll also look at the smpt settings also Thanks again Martyn 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 18, 2013 Author Share Posted July 18, 2013 Hi I reset the password of eclispe2 and that didnt work so i have deleted all of the site and just left the whmcs software on the site, no wordpress as before. I have also cleared the email queue down and deleted the eclipse2 account and reset up the sales email. This worked for a while but after a couple of hours I started getting the emails again. I now have had over 500 in less than a day. Any other ideas ? Thanks Martyn 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 19, 2013 Author Share Posted July 19, 2013 any ideas as this is blocking my IP also and emails I want to send are not getting to my customers ? Could this be 3rd party scripts and if so how can i get users to remove it ? Thanks Martyn This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: nobody@server1.domainname.co.uk retry timeout exceeded ------ This is a copy of the message, including all the headers. ------ Return-path: <root@server1.domainname.co.uk> Received: from root by server1.domainname.co.uk with local (Exim 4.80.1) (envelope-from <root@server1.domainname.co.uk>) id 1V03q7-000061-Pc for nobody@server1.domainname.co.uk; Fri, 19 Jul 2013 07:06:52 +0100 To: nobody@server1.domainname.co.uk Subject: lfd on server1.domainname.co.uk: Excessive resource usage: fleecewi (16165 (Parent PID:11026)) From: <root@server1.domainname.co.uk> Message-Id: <E1V03q7-000061-Pc@server1.domainname.co.uk> Date: Fri, 19 Jul 2013 07:06:51 +0100 Time: Fri Jul 19 07:06:51 2013 +0100 Account: fleecewi Resource: Process Time Exceeded: 19320 > 900 (seconds) Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line: spamd child PID: 16165 (Parent PID:11026) Killed: No 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 19, 2013 Author Share Posted July 19, 2013 another email back saying This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: nobody@server1.domainname.co.uk retry timeout exceeded ------ This is a copy of the message, including all the headers. ------ Return-path: <root@server1.domainname.co.uk> Received: from root by server1.domainname.co.uk with local (Exim 4.80.1) (envelope-from <root@server1.domainname.co.uk>) id 1V03q7-00005v-Dl for nobody@server1.domainname.co.uk; Fri, 19 Jul 2013 07:06:51 +0100 To: nobody@server1.eclipse2000hosting.co.uk Subject: lfd on server1.domainname.co.uk: Suspicious process running under user fleecewi From: <root@server1.domainname.co.uk> Message-Id: <E1V03q7-00005v-Dl@server1.domainname.co.uk> Date: Fri, 19 Jul 2013 07:06:51 +0100 Time: Fri Jul 19 07:06:51 2013 +0100 PID: 16165 (Parent PID:11026) Account: fleecewi Uptime: 19320 seconds Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 0.0.0.0:0 tcp: 127.0.0.1:783 -> 127.0.0.1:53927 udp: 188.94.75.23:27337 -> 188.94.75.241:53 Files open by the process (if any): /dev/null /dev/null /dev/null /usr/local/cpanel/3rdparty/perl/514/bin/spamd /tmp/.spamassassin16165rI8PfMtmp Memory maps by the process (if any): 00110000-00113000 r-xp 00000000 08:01 55023989 /lib/libdl-2.5.so 00113000-00114000 r--p 00002000 08:01 55023989 /lib/libdl-2.5.so 00114000-00115000 rw-p 00003000 08:01 55023989 /lib/libdl-2.5.so 00115000-00117000 r-xp 00000000 08:01 55024000 /lib/libutil-2.5.so 00117000-00118000 r--p 00001000 08:01 55024000 /lib/libutil-2.5.so 00118000-00119000 rw-p 00002000 08:01 55024000 /lib/libutil-2.5.so 00119000-00129000 r-xp 00000000 08:01 5375863 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so 00129000-0012b000 rw-p 00010000 08:01 5375863 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so 0012b000-0012f000 r-xp 00000000 08:01 5407789 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so 0012f000-00130000 rw-p 00003000 08:01 5407789 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so 00130000-00135000 r-xp 00000000 08:01 7406071 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so 00135000-00136000 rw-p 00004000 08:01 7406071 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so 00137000-00140000 r-xp 00000000 08:01 55023927 /lib/libcrypt-2.5.so 00140000-00141000 r--p 00008000 08:01 55023927 /lib/libcrypt-2.5.so 00141000-00142000 rw-p 00009000 08:01 55023927 /lib/libcrypt-2.5.so 00142000-00169000 rw-p 00142000 00:00 0 00169000-001b2000 r-xp 00000000 08:01 5376051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so 001b2000-001b3000 rw-p 00048000 08:01 5376051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so 001b3000-001b8000 r-xp 00000000 08:01 7406652 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so 001b8000-001b9000 rw-p 00004000 08:01 7406652 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so 001b9000-001bb000 r-xp 00000000 08:01 55017641 /lib/libcom_err.so.2.1 001bb000-001bc000 rw-p 00001000 08:01 55017641 /lib/libcom_err.so.2.1 001be000-00315000 r-xp 00000000 08:01 55018555 /lib/libc-2.5.so 00315000-00317000 r--p 00156000 08:01 55018555 /lib/libc-2.5.so 00317000-00318000 rw-p 00158000 08:01 55018555 /lib/libc-2.5.so 00318000-0031b000 rw-p 00318000 00:00 0 0031f000-0032a000 r-xp 00000000 08:01 6226051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so 0032a000-0032b000 rw-p 0000b000 08:01 6226051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so 0032b000-00357000 r-xp 00000000 08:01 5053964 /usr/lib/libgssapi_krb5.so.2.2 00357000-00358000 rw-p 0002c000 08:01 5053964 /usr/lib/libgssapi_krb5.so.2.2 0035b000-0035f000 r-xp 00000000 08:01 5407694 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so 0035f000-00360000 rw-p 00004000 08:01 5407694 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so 00360000-003a6000 r-xp 00000000 08:01 55024042 /lib/libssl.so.0.9.8e 003a6000-003aa000 rw-p 00045000 08:01 55024042 /lib/libssl.so.0.9.8e 003aa000-003b2000 r-xp 00000000 08:01 5064332 /usr/lib/libkrb5support.so.0.1 003b2000-003b3000 rw-p 00007000 08:01 5064332 /usr/lib/libkrb5support.so.0.1 003b9000-003e0000 r-xp 00000000 08:01 55023991 /lib/libm-2.5.so 003e0000-003e1000 r--p 00026000 08:01 55023991 /lib/libm-2.5.so 003e1000-003e2000 rw-p 00027000 08:01 55023991 /lib/libm-2.5.so 003e2000-00408000 r-xp 00000000 08:01 5055923 /usr/lib/libk5crypto.so.3.1 00408000-00409000 rw-p 00025000 08:01 5055923 /usr/lib/libk5crypto.so.3.1 00409000-0041f000 r-xp 00000000 08:01 55017635 /lib/libselinux.so.1 0041f000-00421000 rw-p 00015000 08:01 55017635 /lib/libselinux.so.1 00421000-0045c000 r-xp 00000000 08:01 55017551 /lib/libsepol.so.1 0045c000-0045d000 rw-p 0003b000 08:01 55017551 /lib/libsepol.so.1 0045d000-00467000 rw-p 0045d000 00:00 0 00490000-00493000 r-xp 00000000 08:01 5375850 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so 00493000-00494000 rw-p 00002000 08:01 5375850 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so 004c3000-004cb000 r-xp 00000000 08:01 7276435 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so 004cb000-004cc000 rw-p 00007000 08:01 7276435 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so 0050c000-00511000 r-xp 00000000 08:01 5376039 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so 00511000-00512000 rw-p 00005000 08:01 5376039 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so 00554000-00566000 r-xp 00000000 08:01 55017536 /lib/libz.so.1.2.3 00566000-00567000 rw-p 00011000 08:01 55017536 /lib/libz.so.1.2.3 0057c000-00597000 r-xp 00000000 08:01 55017654 /lib/ld-2.5.so 00597000-00598000 r--p 0001a000 08:01 55017654 /lib/ld-2.5.so 00598000-00599000 rw-p 0001b000 08:01 55017654 /lib/ld-2.5.so 005a4000-005a6000 r-xp 00000000 08:01 5407708 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so 005a6000-005a7000 rw-p 00001000 08:01 5407708 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so 005a7000-0069c000 r-xp 00000000 08:01 55017552 /lib/libdb-4.3.so 0069c000-0069f000 rw-p 000f4000 08:01 55017552 /lib/libdb-4.3.so 0071b000-0071d000 r-xp 00000000 08:01 5375849 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so 0071d000-0071e000 rw-p 00002000 08:01 5375849 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so 00788000-0079e000 r-xp 00000000 08:01 55023888 /lib/libpthread-2.5.so 0079e000-0079f000 r--p 00015000 08:01 55023888 /lib/libpthread-2.5.so 0079f000-007a0000 rw-p 00016000 08:01 55023888 /lib/libpthread-2.5.so 007a0000-007a2000 rw-p 007a0000 00:00 0 007ac000-007b0000 r-xp 00000000 08:01 7277530 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so 007b0000-007b1000 rw-p 00003000 08:01 7277530 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so 007ba000-0084e000 r-xp 00000000 08:01 5055933 /usr/lib/libkrb5.so.3.3 0084e000-00851000 rw-p 00093000 08:01 5055933 /usr/lib/libkrb5.so.3.3 00888000-0089d000 r-xp 00000000 08:01 55024044 /lib/libnsl-2.5.so 0089d000-0089e000 r--p 00014000 08:01 55024044 /lib/libnsl-2.5.so 0089e000-0089f000 rw-p 00015000 08:01 55024044 /lib/libnsl-2.5.so 0089f000-008a1000 rw-p 0089f000 00:00 0 00922000-00924000 r-xp 00000000 08:01 5407784 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so 00924000-00925000 rw-p 00001000 08:01 5407784 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so 00954000-00955000 r-xp 00000000 08:01 7276616 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so 00955000-00956000 rw-p 00000000 08:01 7276616 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so 0098d000-00993000 r-xp 00000000 08:01 5407872 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so 00993000-00994000 rw-p 00005000 08:01 5407872 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so 009ad000-009b3000 r-xp 00000000 08:01 5054831 /usr/lib/libgdbm.so.2.0.0 009b3000-009b4000 rw-p 00005000 08:01 5054831 /usr/lib/libgdbm.so.2.0.0 009c8000-009cc000 r-xp 00000000 08:01 7276758 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so 009cc000-009cd000 rw-p 00003000 08:01 7276758 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so 009f0000-00afa000 r-xp 00000000 08:01 5375685 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so 00afa000-00aff000 rw-p 00109000 08:01 5375685 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so 00aff000-00b00000 rw-p 00aff000 00:00 0 00b65000-00b6e000 r-xp 00000000 08:01 6226331 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so 00b6e000-00b6f000 rw-p 00008000 08:01 6226331 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so 00bb7000-00bbe000 r-xp 00000000 08:01 55024057 /lib/librt-2.5.so 00bbe000-00bbf000 r--p 00007000 08:01 55024057 /lib/librt-2.5.so 00bbf000-00bc0000 rw-p 00008000 08:01 55024057 /lib/librt-2.5.so 00bca000-00bf2000 r-xp 00000000 08:01 30507068 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so 00bf2000-00bf3000 rw-p 00027000 08:01 30507068 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so 00c3b000-00c3c000 r-xp 00c3b000 00:00 0 [vdso] 00cc7000-00cd1000 r-xp 00000000 08:01 55024051 /lib/libnss_files-2.5.so 00cd1000-00cd2000 r--p 00009000 08:01 55024051 /lib/libnss_files-2.5.so 00cd2000-00cd3000 rw-p 0000a000 08:01 55024051 /lib/libnss_files-2.5.so 00cdc000-00cdf000 r-xp 00000000 08:01 5407726 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so 00cdf000-00ce0000 rw-p 00002000 08:01 5407726 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so 00d9f000-00db0000 r-xp 00000000 08:01 55024055 /lib/libresolv-2.5.so 00db0000-00db1000 r--p 00010000 08:01 55024055 /lib/libresolv-2.5.so 00db1000-00db2000 rw-p 00011000 08:01 55024055 /lib/libresolv-2.5.so 00db2000-00db4000 rw-p 00db2000 00:00 0 00dcf000-00dd1000 r-xp 00000000 08:01 6226275 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so 00dd1000-00dd2000 rw-p 00002000 08:01 6226275 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so 00df7000-00dfa000 r-xp 00000000 08:01 7278245 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so 00dfa000-00dfb000 rw-p 00003000 08:01 7278245 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so 00e7b000-00e7d000 r-xp 00000000 08:01 55017564 /lib/libkeyutils-1.2.so 00e7d000-00e7e000 rw-p 00001000 08:01 55017564 /lib/libkeyutils-1.2.so 00ec2000-00ec8000 r-xp 00000000 08:01 5407797 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so 00ec8000-00ec9000 rw-p 00005000 08:01 5407797 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so 00f1c000-00f1f000 r-xp 00000000 08:01 7276677 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so 00f1f000-00f20000 rw-p 00002000 08:01 7276677 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so 00f9d000-00fcd000 r-xp 00000000 08:01 5054199 /usr/lib/libidn.so.11.5.19 00fcd000-00fce000 rw-p 0002f000 08:01 5054199 /usr/lib/libidn.so.11.5.19 00fce000-010f8000 r-xp 00000000 08:01 55017481 /lib/libcrypto.so.0.9.8e 010f8000-0110c000 rw-p 00129000 08:01 55017481 /lib/libcrypto.so.0.9.8e 0110c000-0110f000 rw-p 0110c000 00:00 0 08048000-08049000 r-xp 00000000 08:01 5376307 /usr/local/cpanel/3rdparty/perl/514/bin/perl 08049000-0804a000 rw-p 00000000 08:01 5376307 /usr/local/cpanel/3rdparty/perl/514/bin/perl 0829a000-0a20e000 rw-p 0829a000 00:00 0 [heap] b7f88000-b7fc7000 rw-p b7f88000 00:00 0 b7fc7000-b7fce000 r--s 00000000 08:01 5112195 /usr/lib/gconv/gconv-modules.cache b7fce000-b7fcf000 rw-p b7fce000 00:00 0 bfdb6000-bfdef000 rw-p bffc5000 00:00 0 [stack] 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 19, 2013 Share Posted July 19, 2013 is your server managed or unmanaged? 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 19, 2013 Author Share Posted July 19, 2013 Unmanaged. Its in a data centre. My friend has had the hosting for the last few years but i have taken over. Its a bit of a baptism of fire as Ive helped him in the past and weve had nothing like this. 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 19, 2013 Author Share Posted July 19, 2013 Ive read that one of the reasons is because some of these emails that are coming through are because the previous version of cpanel didn't have this as its recently new. I am on version whmcs 5.25 and whm 11.38.1 The fix was to run this command but Im not sure how and where exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english Thanks Martyn 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 19, 2013 Share Posted July 19, 2013 (edited) that would look like ir goes in the csf excludes file, try this 1. Log into Web Host manager (WHM) 2. Click on "ConfigServer Security & Firewall" on the left side of the page at the bottom 3. Click on "lfd Process Ignore or csf.pignore" in the "lfd - Login Failure Daemon" section 4. Add the following line to the list and click "Change": exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english 5. Click the "Restart lfd" button Edited July 19, 2013 by lance 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 20, 2013 Author Share Posted July 20, 2013 Lance Thank your for that. I will let you know how that goes. Regards Martyn 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 20, 2013 Share Posted July 20, 2013 have sent you a pm for if you get stuck 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 21, 2013 Author Share Posted July 21, 2013 (edited) Hi Lance. sorry for the delay in reply I cant see the PM but thanks. Could you try again please? I dont seem to have the run the above on csf.pignore, process tracking on all 3 servers and its not done anything yet. Should this be instant ? Am I under attack or is this just a result of cpanel upgrades with new features turned on that I dont have ? I have various emails and they all say various things like the ones above but i have also seen a Time: Sat Jul 20 10:35:14 2013 +0100PID: 14339 (Parent PID:11026) Account: kingdom Uptime: 19519 seconds Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 0.0.0.0:0 tcp: 127.0.0.1:783 -> 127.0.0.1:23698 Files open by the process (if any): /dev/null /dev/null /dev/null /usr/local/cpanel/3rdparty/perl/514/bin/spamd /home/kingdom/.spamassassin/bayes_toks /home/kingdom/.spamassassin/bayes_seen Memory maps by the process (if any): 00110000-00113000 r-xp 00000000 08:01 55023989 /lib/libdl-2.5.so 00113000-00114000 r--p 00002000 08:01 55023989 /lib/libdl-2.5.so 00114000-00115000 rw-p 00003000 08:01 55023989 /lib/libdl-2.5.so 00115000-00117000 r-xp 00000000 08:01 55024000 /lib/libutil-2.5.so 00117000-00118000 r--p 00001000 08:01 55024000 /lib/libutil-2.5.so 00118000-00119000 rw-p 00002000 08:01 55024000 /lib/libutil-2.5.so 00119000-00129000 r-xp 00000000 08:01 5375863 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so 00129000-0012b000 rw-p 00010000 08:01 5375863 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so 0012b000-0012f000 r-xp 00000000 08:01 5407789 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so 0012f000-00130000 rw-p 00003000 08:01 5407789 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so 00130000-00135000 r-xp 00000000 08:01 7406071 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so 00135000-00136000 rw-p 00004000 08:01 7406071 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so 00137000-00140000 r-xp 00000000 08:01 55023927 /lib/libcrypt-2.5.so 00140000-00141000 r--p 00008000 08:01 55023927 /lib/libcrypt-2.5.so 00141000-00142000 rw-p 00009000 08:01 55023927 /lib/libcrypt-2.5.so 00142000-00169000 rw-p 00142000 00:00 0 00169000-001b2000 r-xp 00000000 08:01 5376051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so 001b2000-001b3000 rw-p 00048000 08:01 5376051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so 001b3000-001b8000 r-xp 00000000 08:01 7406652 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so 001b8000-001b9000 rw-p 00004000 08:01 7406652 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so 001b9000-001bb000 r-xp 00000000 08:01 55017641 /lib/libcom_err.so.2.1 001bb000-001bc000 rw-p 00001000 08:01 55017641 /lib/libcom_err.so.2.1 001be000-00315000 r-xp 00000000 08:01 55018555 /lib/libc-2.5.so 00315000-00317000 r--p 00156000 08:01 55018555 /lib/libc-2.5.so 00317000-00318000 rw-p 00158000 08:01 55018555 /lib/libc-2.5.so 00318000-0031b000 rw-p 00318000 00:00 0 0031f000-0032a000 r-xp 00000000 08:01 6226051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so 0032a000-0032b000 rw-p 0000b000 08:01 6226051 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so 0032b000-00357000 r-xp 00000000 08:01 5053964 /usr/lib/libgssapi_krb5.so.2.2 00357000-00358000 rw-p 0002c000 08:01 5053964 /usr/lib/libgssapi_krb5.so.2.2 0035b000-0035f000 r-xp 00000000 08:01 5407694 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so 0035f000-00360000 rw-p 00004000 08:01 5407694 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so 00360000-003a6000 r-xp 00000000 08:01 55024042 /lib/libssl.so.0.9.8e 003a6000-003aa000 rw-p 00045000 08:01 55024042 /lib/libssl.so.0.9.8e 003aa000-003b2000 r-xp 00000000 08:01 5064332 /usr/lib/libkrb5support.so.0.1 003b2000-003b3000 rw-p 00007000 08:01 5064332 /usr/lib/libkrb5support.so.0.1 003b9000-003e0000 r-xp 00000000 08:01 55023991 /lib/libm-2.5.so 003e0000-003e1000 r--p 00026000 08:01 55023991 /lib/libm-2.5.so 003e1000-003e2000 rw-p 00027000 08:01 55023991 /lib/libm-2.5.so 003e2000-00408000 r-xp 00000000 08:01 5055923 /usr/lib/libk5crypto.so.3.1 00408000-00409000 rw-p 00025000 08:01 5055923 /usr/lib/libk5crypto.so.3.1 00409000-0041f000 r-xp 00000000 08:01 55017635 /lib/libselinux.so.1 0041f000-00421000 rw-p 00015000 08:01 55017635 /lib/libselinux.so.1 00421000-0045c000 r-xp 00000000 08:01 55017551 /lib/libsepol.so.1 0045c000-0045d000 rw-p 0003b000 08:01 55017551 /lib/libsepol.so.1 0045d000-00467000 rw-p 0045d000 00:00 0 00490000-00493000 r-xp 00000000 08:01 5375850 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so 00493000-00494000 rw-p 00002000 08:01 5375850 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so 004c3000-004cb000 r-xp 00000000 08:01 7276435 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so 004cb000-004cc000 rw-p 00007000 08:01 7276435 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so 0050c000-00511000 r-xp 00000000 08:01 5376039 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so 00511000-00512000 rw-p 00005000 08:01 5376039 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so 00554000-00566000 r-xp 00000000 08:01 55017536 /lib/libz.so.1.2.3 00566000-00567000 rw-p 00011000 08:01 55017536 /lib/libz.so.1.2.3 0057c000-00597000 r-xp 00000000 08:01 55017654 /lib/ld-2.5.so 00597000-00598000 r--p 0001a000 08:01 55017654 /lib/ld-2.5.so 00598000-00599000 rw-p 0001b000 08:01 55017654 /lib/ld-2.5.so 005a4000-005a6000 r-xp 00000000 08:01 5407708 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so 005a6000-005a7000 rw-p 00001000 08:01 5407708 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so 005a7000-0069c000 r-xp 00000000 08:01 55017552 /lib/libdb-4.3.so 0069c000-0069f000 rw-p 000f4000 08:01 55017552 /lib/libdb-4.3.so 0071b000-0071d000 r-xp 00000000 08:01 5375849 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so 0071d000-0071e000 rw-p 00002000 08:01 5375849 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so 00788000-0079e000 r-xp 00000000 08:01 55023888 /lib/libpthread-2.5.so 0079e000-0079f000 r--p 00015000 08:01 55023888 /lib/libpthread-2.5.so 0079f000-007a0000 rw-p 00016000 08:01 55023888 /lib/libpthread-2.5.so 007a0000-007a2000 rw-p 007a0000 00:00 0 007ac000-007b0000 r-xp 00000000 08:01 7277530 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so 007b0000-007b1000 rw-p 00003000 08:01 7277530 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so 007ba000-0084e000 r-xp 00000000 08:01 5055933 /usr/lib/libkrb5.so.3.3 0084e000-00851000 rw-p 00093000 08:01 5055933 /usr/lib/libkrb5.so.3.3 00888000-0089d000 r-xp 00000000 08:01 55024044 /lib/libnsl-2.5.so 0089d000-0089e000 r--p 00014000 08:01 55024044 /lib/libnsl-2.5.so 0089e000-0089f000 rw-p 00015000 08:01 55024044 /lib/libnsl-2.5.so 0089f000-008a1000 rw-p 0089f000 00:00 0 00922000-00924000 r-xp 00000000 08:01 5407784 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so 00924000-00925000 rw-p 00001000 08:01 5407784 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so 00954000-00955000 r-xp 00000000 08:01 7276616 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so 00955000-00956000 rw-p 00000000 08:01 7276616 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so 0098d000-00993000 r-xp 00000000 08:01 5407872 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so 00993000-00994000 rw-p 00005000 08:01 5407872 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so 009ad000-009b3000 r-xp 00000000 08:01 5054831 /usr/lib/libgdbm.so.2.0.0 009b3000-009b4000 rw-p 00005000 08:01 5054831 /usr/lib/libgdbm.so.2.0.0 009c8000-009cc000 r-xp 00000000 08:01 7276758 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so 009cc000-009cd000 rw-p 00003000 08:01 7276758 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so 009f0000-00afa000 r-xp 00000000 08:01 5375685 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so 00afa000-00aff000 rw-p 00109000 08:01 5375685 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so 00aff000-00b00000 rw-p 00aff000 00:00 0 00b65000-00b6e000 r-xp 00000000 08:01 6226331 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so 00b6e000-00b6f000 rw-p 00008000 08:01 6226331 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so 00bb7000-00bbe000 r-xp 00000000 08:01 55024057 /lib/librt-2.5.so 00bbe000-00bbf000 r--p 00007000 08:01 55024057 /lib/librt-2.5.so 00bbf000-00bc0000 rw-p 00008000 08:01 55024057 /lib/librt-2.5.so 00bca000-00bf2000 r-xp 00000000 08:01 30507068 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so 00bf2000-00bf3000 rw-p 00027000 08:01 30507068 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so 00c3b000-00c3c000 r-xp 00c3b000 00:00 0 [vdso] 00cc7000-00cd1000 r-xp 00000000 08:01 55024051 /lib/libnss_files-2.5.so 00cd1000-00cd2000 r--p 00009000 08:01 55024051 /lib/libnss_files-2.5.so 00cd2000-00cd3000 rw-p 0000a000 08:01 55024051 /lib/libnss_files-2.5.so 00cdc000-00cdf000 r-xp 00000000 08:01 5407726 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so 00cdf000-00ce0000 rw-p 00002000 08:01 5407726 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so 00d9f000-00db0000 r-xp 00000000 08:01 55024055 /lib/libresolv-2.5.so 00db0000-00db1000 r--p 00010000 08:01 55024055 /lib/libresolv-2.5.so 00db1000-00db2000 rw-p 00011000 08:01 55024055 /lib/libresolv-2.5.so 00db2000-00db4000 rw-p 00db2000 00:00 0 00dcf000-00dd1000 r-xp 00000000 08:01 6226275 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so 00dd1000-00dd2000 rw-p 00002000 08:01 6226275 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so 00df7000-00dfa000 r-xp 00000000 08:01 7278245 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so 00dfa000-00dfb000 rw-p 00003000 08:01 7278245 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so 00e7b000-00e7d000 r-xp 00000000 08:01 55017564 /lib/libkeyutils-1.2.so 00e7d000-00e7e000 rw-p 00001000 08:01 55017564 /lib/libkeyutils-1.2.so 00ec2000-00ec8000 r-xp 00000000 08:01 5407797 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so 00ec8000-00ec9000 rw-p 00005000 08:01 5407797 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so 00f1c000-00f1f000 r-xp 00000000 08:01 7276677 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so 00f1f000-00f20000 rw-p 00002000 08:01 7276677 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so 00f9d000-00fcd000 r-xp 00000000 08:01 5054199 /usr/lib/libidn.so.11.5.19 00fcd000-00fce000 rw-p 0002f000 08:01 5054199 /usr/lib/libidn.so.11.5.19 00fce000-010f8000 r-xp 00000000 08:01 55017481 /lib/libcrypto.so.0.9.8e 010f8000-0110c000 rw-p 00129000 08:01 55017481 /lib/libcrypto.so.0.9.8e 0110c000-0110f000 rw-p 0110c000 00:00 0 08048000-08049000 r-xp 00000000 08:01 5376307 /usr/local/cpanel/3rdparty/perl/514/bin/perl 08049000-0804a000 rw-p 00000000 08:01 5376307 /usr/local/cpanel/3rdparty/perl/514/bin/perl 0829a000-0abfc000 rw-p 0829a000 00:00 0 [heap] b7868000-b7ba3000 rw-p b7868000 00:00 0 b7cd7000-b7d20000 rw-p b7cd7000 00:00 0 b7d69000-b7db2000 rw-p b7d69000 00:00 0 b7dfb000-b7e44000 rw-p b7dfb000 00:00 0 b7e44000-b7e98000 rw-p b7e8a000 00:00 0 b7f0b000-b7f5f000 rw-p b7f50000 00:00 0 b7f88000-b7fc7000 rw-p b7f88000 00:00 0 b7fc7000-b7fce000 r--s 00000000 08:01 5112195 /usr/lib/gconv/gconv-modules.cache b7fce000-b7fcf000 rw-p b7fce000 00:00 0 bfdb6000-bfdef000 rw-p bffc5000 00:00 0 [stack] Thanks Martyn Edited July 21, 2013 by Dicko_md 0 Quote Link to comment Share on other sites More sharing options...
Dicko_md Posted July 21, 2013 Author Share Posted July 21, 2013 another email is Time: Sat Jul 20 12:10:07 2013 +0100Account: cheriesc Resource: Process Time Exceeded: 87577 > 1800 (seconds) Executable: /usr/bin/php Command Line: /usr/bin/php /home/cheriesc/public_html/index.php PID: 24355 (Parent PID:24189) Killed: No 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 21, 2013 Share Posted July 21, 2013 have tried again, dont seem to goto me sent items though not sure if they got to you...... try sending me a pm 0 Quote Link to comment Share on other sites More sharing options...
And then there was one les Posted July 23, 2013 Share Posted July 23, 2013 Hi, just a quick note, there was a second username in your email copy, fleecewi was there, check that account also. Another solution and most datacentres will do this for free or at the least a nominal fee, ask them to run a security/exploit scan on your servers this should pull up anything that shouldnt be there, often they will deal with these for you as part of the service. I know this might seem like a pain in the backside, but depending upon how many accounts are on these servers you might find it takes less time to check the accounts and move them to a known good server when you know they are clean. once you have those clean accounts safe you can look at the rest and figure out what is causing the issue exactly and consider eliminating those clients. 0 Quote Link to comment Share on other sites More sharing options...
lance Posted July 23, 2013 Share Posted July 23, 2013 CJD, I had a peek at the server, csf firewall needed tweaking and nobody mail was set wrong... hopefully things are alot better now.... the servers are unmanaged, but if needs malware scanners etc installed will gladly install for dick_md. Lance 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.