Solved

What does it mean "Suspicious process running under user mailnull"

Posted on 2015-02-24
16
564 Views
Last Modified: 2016-09-25
I receive this alert from my WHM panel.
What does it mean? Do I have to do anything?

lfd on fff: Suspicious process running under user mailnull

Time:    Tue Feb 24 10:51:17 2015 +0200
PID:     29327 (Parent PID:29324)
Account: mailnull
Uptime:  74 seconds


Executable:

/home/virtfs/fff/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -Mc 1YQBBq-000004-Pv


Network connections by the process (if any):

tcp: 89.19.23.155:53717 -> 89.19.23.155:110
tcp: 89.19.23.154:55920 -> 91.102.160.103:25


Files open by the process (if any):

/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-D
/home/virtfs/fff/tmp/tmpfqsXsdu (deleted)
/home/virtfs/fff/var/log/exim_mainlog
/home/virtfs/fff/var/spool/exim/msglog/q/1YQBBq-000004-Pv
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-J
/home/virtfs/fff/etc/mailips
/home/virtfs/fff/etc/mailhelo
0
Comment
Question by:myyis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627940
Your server is sending and/or receiving mail (pop/smtp). Are you aware of this? Did you have some email functions enabled? Some website forms/scripts?
If NOT, you have to find out why you are sending/receiving emails. If yes, check those IP numbers (if they are where you want to connect to), or check other email logs if those are from "correct" email, or from spam/malware.
0
 

Author Comment

by:myyis
ID: 40627950
Yes the server sends emails
1. When users are assigned to some tasks
2. Password reset emails
etc.

But I have received this warning only once. Everyday dozens of emails are sent. May be an email my server sent was treated like a spam. Is that the case?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627965
As long as you know this IP: 91.102.160.103 as being from a server from someone you needed to contact, you don't need to worry.
If you still don't trust it, find the message file 1YQBBq-000004 and read what's inside (if file still available). If not available try to get the recipients email address from the logs to see if it's someone you know.
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 

Author Comment

by:myyis
ID: 40627982
At whm  I found the details of the mail. Everything seems ok. So why I received that email?

Event:      success
Sender User:      fff
Sender Domain:      tr1.fff.com
Sender:      ff@tr8.fff.com
Sent Time:      Feb 24, 2015 10:50:10 AM
Sender Host:      localhost
Sender IP:      127.0.0.1
Authentication:      localuser
Spam Score:      0
Recipient:      nurvet@hhh.com.tr
Delivered To:      nurvet@hhh.com.tr
deliveryuser:      -remote-
deliverydomain:      
Router:      lookuphost
Transport:      remote_smtp
Out Time:      Feb 24, 2015 10:51:10 AM
ID:      1YQBBq-000004-Pv
Delivery Host:      mail.hhh.com.tr
Delivery IP:      91.102.160.103
Size:      15.84 KB
Result:      Message accepted
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 250 total points
ID: 40628009
I suspect this happened after a reboot?
While I don't know the exact reason, it's just one of those pre-programmed warning systems, of which the rules you may or may not figure out in time. There rules aren't like magic, and are probably fixed. See it as a false-positive that can happen once in a while, where your normal operation clashes with the warning system.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629203
It means you have been hacked.
Exim does in no case connect to 110/tcp aka POP3.
0
 

Author Comment

by:myyis
ID: 40629390
Hi gheist,
What do you suggest me to do. How can clean it up, any comment?
Thank you.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631147
Capture spool file of
1YQBBq-000004-Pv
It has the exploit.
and upgrade exim and glibc.
0
 

Author Comment

by:myyis
ID: 40631612
I have checked it again and saw nothing weird at the php file.
 I got the warning only once but the mail (1YQBBq-000004-Pv)  and dozens of similar mails are sent automatically  to the same recipient and recipients . Everything seems normal.

This is the function that sends the emails. Is there anything strange with that?

function SendEmail($to, $from, $body, $subject)
{
      $headers = "From: " . $from . "\n";
      $headers .= 'MIME-Version: 1.0' . "\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
      mail ($to, $subject, $body, $headers);
}
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631635
Do you sanitize parameters?
0
 

Author Comment

by:myyis
ID: 40631650
Yeah that may be the  point, the body is inserted by the user. Do you suggest anything to sanitize?
And what you say about the Exim and 110/tcp? Do you see anything weird?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40631663
You need to trace  one PHP mail() call on exim
Or just break blind command posting by adding 1s delay to each SMTP response.
I think it posts by /usr/lib/sendmail, so make sure you escape each field to the level sendmail command can clean up later.
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41813987
I'm surprised at all these comments and yet this is the "experts exchange"

That is just a CSF Firewall warning to say that it has detected a file that is not registered by default on the operating system , mailnull which happens to be a spam control engine .

All you have to do to fix these emails from coming in is to add exim to the ignore list


On the ConfigServer Security & Firewall plugins page,
scroll down until you see"lfd - Login Failure Daemon" section,
just below "lfd restart" button,
there is a dropdown menu
select "csf.pignore, Process Tracking" & click edit,
at the end of the file add exim to the ignore list

exe:/home/virtfs/fff/usr/sbin/exim

That should solve the problem
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814009
Explain what EXIM has to do with port 110...
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41814379
Port 110 is for pop3 , do i need to explain what exim has to do with pop3 ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814394
Yes, exim does not implement pop3 server or pop3 client.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Suggested Courses

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question