Solved

What does it mean "Suspicious process running under user mailnull"

Posted on 2015-02-24
16
584 Views
Last Modified: 2016-09-25
I receive this alert from my WHM panel.
What does it mean? Do I have to do anything?

lfd on fff: Suspicious process running under user mailnull

Time:    Tue Feb 24 10:51:17 2015 +0200
PID:     29327 (Parent PID:29324)
Account: mailnull
Uptime:  74 seconds


Executable:

/home/virtfs/fff/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -Mc 1YQBBq-000004-Pv


Network connections by the process (if any):

tcp: 89.19.23.155:53717 -> 89.19.23.155:110
tcp: 89.19.23.154:55920 -> 91.102.160.103:25


Files open by the process (if any):

/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-D
/home/virtfs/fff/tmp/tmpfqsXsdu (deleted)
/home/virtfs/fff/var/log/exim_mainlog
/home/virtfs/fff/var/spool/exim/msglog/q/1YQBBq-000004-Pv
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-J
/home/virtfs/fff/etc/mailips
/home/virtfs/fff/etc/mailhelo
0
Comment
Question by:myyis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 36

Expert Comment

by:Kimputer
ID: 40627940
Your server is sending and/or receiving mail (pop/smtp). Are you aware of this? Did you have some email functions enabled? Some website forms/scripts?
If NOT, you have to find out why you are sending/receiving emails. If yes, check those IP numbers (if they are where you want to connect to), or check other email logs if those are from "correct" email, or from spam/malware.
0
 
LVL 1

Author Comment

by:myyis
ID: 40627950
Yes the server sends emails
1. When users are assigned to some tasks
2. Password reset emails
etc.

But I have received this warning only once. Everyday dozens of emails are sent. May be an email my server sent was treated like a spam. Is that the case?
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 40627965
As long as you know this IP: 91.102.160.103 as being from a server from someone you needed to contact, you don't need to worry.
If you still don't trust it, find the message file 1YQBBq-000004 and read what's inside (if file still available). If not available try to get the recipients email address from the logs to see if it's someone you know.
0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 
LVL 1

Author Comment

by:myyis
ID: 40627982
At whm  I found the details of the mail. Everything seems ok. So why I received that email?

Event:      success
Sender User:      fff
Sender Domain:      tr1.fff.com
Sender:      ff@tr8.fff.com
Sent Time:      Feb 24, 2015 10:50:10 AM
Sender Host:      localhost
Sender IP:      127.0.0.1
Authentication:      localuser
Spam Score:      0
Recipient:      nurvet@hhh.com.tr
Delivered To:      nurvet@hhh.com.tr
deliveryuser:      -remote-
deliverydomain:      
Router:      lookuphost
Transport:      remote_smtp
Out Time:      Feb 24, 2015 10:51:10 AM
ID:      1YQBBq-000004-Pv
Delivery Host:      mail.hhh.com.tr
Delivery IP:      91.102.160.103
Size:      15.84 KB
Result:      Message accepted
0
 
LVL 36

Accepted Solution

by:
Kimputer earned 250 total points
ID: 40628009
I suspect this happened after a reboot?
While I don't know the exact reason, it's just one of those pre-programmed warning systems, of which the rules you may or may not figure out in time. There rules aren't like magic, and are probably fixed. See it as a false-positive that can happen once in a while, where your normal operation clashes with the warning system.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629203
It means you have been hacked.
Exim does in no case connect to 110/tcp aka POP3.
0
 
LVL 1

Author Comment

by:myyis
ID: 40629390
Hi gheist,
What do you suggest me to do. How can clean it up, any comment?
Thank you.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631147
Capture spool file of
1YQBBq-000004-Pv
It has the exploit.
and upgrade exim and glibc.
0
 
LVL 1

Author Comment

by:myyis
ID: 40631612
I have checked it again and saw nothing weird at the php file.
 I got the warning only once but the mail (1YQBBq-000004-Pv)  and dozens of similar mails are sent automatically  to the same recipient and recipients . Everything seems normal.

This is the function that sends the emails. Is there anything strange with that?

function SendEmail($to, $from, $body, $subject)
{
      $headers = "From: " . $from . "\n";
      $headers .= 'MIME-Version: 1.0' . "\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
      mail ($to, $subject, $body, $headers);
}
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631635
Do you sanitize parameters?
0
 
LVL 1

Author Comment

by:myyis
ID: 40631650
Yeah that may be the  point, the body is inserted by the user. Do you suggest anything to sanitize?
And what you say about the Exim and 110/tcp? Do you see anything weird?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40631663
You need to trace  one PHP mail() call on exim
Or just break blind command posting by adding 1s delay to each SMTP response.
I think it posts by /usr/lib/sendmail, so make sure you escape each field to the level sendmail command can clean up later.
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41813987
I'm surprised at all these comments and yet this is the "experts exchange"

That is just a CSF Firewall warning to say that it has detected a file that is not registered by default on the operating system , mailnull which happens to be a spam control engine .

All you have to do to fix these emails from coming in is to add exim to the ignore list


On the ConfigServer Security & Firewall plugins page,
scroll down until you see"lfd - Login Failure Daemon" section,
just below "lfd restart" button,
there is a dropdown menu
select "csf.pignore, Process Tracking" & click edit,
at the end of the file add exim to the ignore list

exe:/home/virtfs/fff/usr/sbin/exim

That should solve the problem
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814009
Explain what EXIM has to do with port 110...
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41814379
Port 110 is for pop3 , do i need to explain what exim has to do with pop3 ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814394
Yes, exim does not implement pop3 server or pop3 client.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question