Solved

What does it mean "Suspicious process running under user mailnull"

Posted on 2015-02-24
16
483 Views
Last Modified: 2016-09-25
I receive this alert from my WHM panel.
What does it mean? Do I have to do anything?

lfd on fff: Suspicious process running under user mailnull

Time:    Tue Feb 24 10:51:17 2015 +0200
PID:     29327 (Parent PID:29324)
Account: mailnull
Uptime:  74 seconds


Executable:

/home/virtfs/fff/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -Mc 1YQBBq-000004-Pv


Network connections by the process (if any):

tcp: 89.19.23.155:53717 -> 89.19.23.155:110
tcp: 89.19.23.154:55920 -> 91.102.160.103:25


Files open by the process (if any):

/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-D
/home/virtfs/fff/tmp/tmpfqsXsdu (deleted)
/home/virtfs/fff/var/log/exim_mainlog
/home/virtfs/fff/var/spool/exim/msglog/q/1YQBBq-000004-Pv
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-J
/home/virtfs/fff/etc/mailips
/home/virtfs/fff/etc/mailhelo
0
Comment
Question by:myyis
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627940
Your server is sending and/or receiving mail (pop/smtp). Are you aware of this? Did you have some email functions enabled? Some website forms/scripts?
If NOT, you have to find out why you are sending/receiving emails. If yes, check those IP numbers (if they are where you want to connect to), or check other email logs if those are from "correct" email, or from spam/malware.
0
 

Author Comment

by:myyis
ID: 40627950
Yes the server sends emails
1. When users are assigned to some tasks
2. Password reset emails
etc.

But I have received this warning only once. Everyday dozens of emails are sent. May be an email my server sent was treated like a spam. Is that the case?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627965
As long as you know this IP: 91.102.160.103 as being from a server from someone you needed to contact, you don't need to worry.
If you still don't trust it, find the message file 1YQBBq-000004 and read what's inside (if file still available). If not available try to get the recipients email address from the logs to see if it's someone you know.
0
 

Author Comment

by:myyis
ID: 40627982
At whm  I found the details of the mail. Everything seems ok. So why I received that email?

Event:      success
Sender User:      fff
Sender Domain:      tr1.fff.com
Sender:      ff@tr8.fff.com
Sent Time:      Feb 24, 2015 10:50:10 AM
Sender Host:      localhost
Sender IP:      127.0.0.1
Authentication:      localuser
Spam Score:      0
Recipient:      nurvet@hhh.com.tr
Delivered To:      nurvet@hhh.com.tr
deliveryuser:      -remote-
deliverydomain:      
Router:      lookuphost
Transport:      remote_smtp
Out Time:      Feb 24, 2015 10:51:10 AM
ID:      1YQBBq-000004-Pv
Delivery Host:      mail.hhh.com.tr
Delivery IP:      91.102.160.103
Size:      15.84 KB
Result:      Message accepted
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 250 total points
ID: 40628009
I suspect this happened after a reboot?
While I don't know the exact reason, it's just one of those pre-programmed warning systems, of which the rules you may or may not figure out in time. There rules aren't like magic, and are probably fixed. See it as a false-positive that can happen once in a while, where your normal operation clashes with the warning system.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40629203
It means you have been hacked.
Exim does in no case connect to 110/tcp aka POP3.
0
 

Author Comment

by:myyis
ID: 40629390
Hi gheist,
What do you suggest me to do. How can clean it up, any comment?
Thank you.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40631147
Capture spool file of
1YQBBq-000004-Pv
It has the exploit.
and upgrade exim and glibc.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:myyis
ID: 40631612
I have checked it again and saw nothing weird at the php file.
 I got the warning only once but the mail (1YQBBq-000004-Pv)  and dozens of similar mails are sent automatically  to the same recipient and recipients . Everything seems normal.

This is the function that sends the emails. Is there anything strange with that?

function SendEmail($to, $from, $body, $subject)
{
      $headers = "From: " . $from . "\n";
      $headers .= 'MIME-Version: 1.0' . "\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
      mail ($to, $subject, $body, $headers);
}
0
 
LVL 61

Expert Comment

by:gheist
ID: 40631635
Do you sanitize parameters?
0
 

Author Comment

by:myyis
ID: 40631650
Yeah that may be the  point, the body is inserted by the user. Do you suggest anything to sanitize?
And what you say about the Exim and 110/tcp? Do you see anything weird?
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40631663
You need to trace  one PHP mail() call on exim
Or just break blind command posting by adding 1s delay to each SMTP response.
I think it posts by /usr/lib/sendmail, so make sure you escape each field to the level sendmail command can clean up later.
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41813987
I'm surprised at all these comments and yet this is the "experts exchange"

That is just a CSF Firewall warning to say that it has detected a file that is not registered by default on the operating system , mailnull which happens to be a spam control engine .

All you have to do to fix these emails from coming in is to add exim to the ignore list


On the ConfigServer Security & Firewall plugins page,
scroll down until you see"lfd - Login Failure Daemon" section,
just below "lfd restart" button,
there is a dropdown menu
select "csf.pignore, Process Tracking" & click edit,
at the end of the file add exim to the ignore list

exe:/home/virtfs/fff/usr/sbin/exim

That should solve the problem
0
 
LVL 61

Expert Comment

by:gheist
ID: 41814009
Explain what EXIM has to do with port 110...
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41814379
Port 110 is for pop3 , do i need to explain what exim has to do with pop3 ?
0
 
LVL 61

Expert Comment

by:gheist
ID: 41814394
Yes, exim does not implement pop3 server or pop3 client.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now