Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What does it mean "Suspicious process running under user mailnull"

Posted on 2015-02-24
16
Medium Priority
?
683 Views
Last Modified: 2016-09-25
I receive this alert from my WHM panel.
What does it mean? Do I have to do anything?

lfd on fff: Suspicious process running under user mailnull

Time:    Tue Feb 24 10:51:17 2015 +0200
PID:     29327 (Parent PID:29324)
Account: mailnull
Uptime:  74 seconds


Executable:

/home/virtfs/fff/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -Mc 1YQBBq-000004-Pv


Network connections by the process (if any):

tcp: 89.19.23.155:53717 -> 89.19.23.155:110
tcp: 89.19.23.154:55920 -> 91.102.160.103:25


Files open by the process (if any):

/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-D
/home/virtfs/fff/tmp/tmpfqsXsdu (deleted)
/home/virtfs/fff/var/log/exim_mainlog
/home/virtfs/fff/var/spool/exim/msglog/q/1YQBBq-000004-Pv
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-J
/home/virtfs/fff/etc/mailips
/home/virtfs/fff/etc/mailhelo
0
Comment
Question by:myyis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 36

Expert Comment

by:Kimputer
ID: 40627940
Your server is sending and/or receiving mail (pop/smtp). Are you aware of this? Did you have some email functions enabled? Some website forms/scripts?
If NOT, you have to find out why you are sending/receiving emails. If yes, check those IP numbers (if they are where you want to connect to), or check other email logs if those are from "correct" email, or from spam/malware.
0
 
LVL 1

Author Comment

by:myyis
ID: 40627950
Yes the server sends emails
1. When users are assigned to some tasks
2. Password reset emails
etc.

But I have received this warning only once. Everyday dozens of emails are sent. May be an email my server sent was treated like a spam. Is that the case?
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 40627965
As long as you know this IP: 91.102.160.103 as being from a server from someone you needed to contact, you don't need to worry.
If you still don't trust it, find the message file 1YQBBq-000004 and read what's inside (if file still available). If not available try to get the recipients email address from the logs to see if it's someone you know.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 1

Author Comment

by:myyis
ID: 40627982
At whm  I found the details of the mail. Everything seems ok. So why I received that email?

Event:      success
Sender User:      fff
Sender Domain:      tr1.fff.com
Sender:      ff@tr8.fff.com
Sent Time:      Feb 24, 2015 10:50:10 AM
Sender Host:      localhost
Sender IP:      127.0.0.1
Authentication:      localuser
Spam Score:      0
Recipient:      nurvet@hhh.com.tr
Delivered To:      nurvet@hhh.com.tr
deliveryuser:      -remote-
deliverydomain:      
Router:      lookuphost
Transport:      remote_smtp
Out Time:      Feb 24, 2015 10:51:10 AM
ID:      1YQBBq-000004-Pv
Delivery Host:      mail.hhh.com.tr
Delivery IP:      91.102.160.103
Size:      15.84 KB
Result:      Message accepted
0
 
LVL 36

Accepted Solution

by:
Kimputer earned 1000 total points
ID: 40628009
I suspect this happened after a reboot?
While I don't know the exact reason, it's just one of those pre-programmed warning systems, of which the rules you may or may not figure out in time. There rules aren't like magic, and are probably fixed. See it as a false-positive that can happen once in a while, where your normal operation clashes with the warning system.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629203
It means you have been hacked.
Exim does in no case connect to 110/tcp aka POP3.
0
 
LVL 1

Author Comment

by:myyis
ID: 40629390
Hi gheist,
What do you suggest me to do. How can clean it up, any comment?
Thank you.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631147
Capture spool file of
1YQBBq-000004-Pv
It has the exploit.
and upgrade exim and glibc.
0
 
LVL 1

Author Comment

by:myyis
ID: 40631612
I have checked it again and saw nothing weird at the php file.
 I got the warning only once but the mail (1YQBBq-000004-Pv)  and dozens of similar mails are sent automatically  to the same recipient and recipients . Everything seems normal.

This is the function that sends the emails. Is there anything strange with that?

function SendEmail($to, $from, $body, $subject)
{
      $headers = "From: " . $from . "\n";
      $headers .= 'MIME-Version: 1.0' . "\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
      mail ($to, $subject, $body, $headers);
}
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631635
Do you sanitize parameters?
0
 
LVL 1

Author Comment

by:myyis
ID: 40631650
Yeah that may be the  point, the body is inserted by the user. Do you suggest anything to sanitize?
And what you say about the Exim and 110/tcp? Do you see anything weird?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1000 total points
ID: 40631663
You need to trace  one PHP mail() call on exim
Or just break blind command posting by adding 1s delay to each SMTP response.
I think it posts by /usr/lib/sendmail, so make sure you escape each field to the level sendmail command can clean up later.
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41813987
I'm surprised at all these comments and yet this is the "experts exchange"

That is just a CSF Firewall warning to say that it has detected a file that is not registered by default on the operating system , mailnull which happens to be a spam control engine .

All you have to do to fix these emails from coming in is to add exim to the ignore list


On the ConfigServer Security & Firewall plugins page,
scroll down until you see"lfd - Login Failure Daemon" section,
just below "lfd restart" button,
there is a dropdown menu
select "csf.pignore, Process Tracking" & click edit,
at the end of the file add exim to the ignore list

exe:/home/virtfs/fff/usr/sbin/exim

That should solve the problem
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814009
Explain what EXIM has to do with port 110...
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41814379
Port 110 is for pop3 , do i need to explain what exim has to do with pop3 ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814394
Yes, exim does not implement pop3 server or pop3 client.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses
Course of the Month7 days, 22 hours left to enroll

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question