Solved

What does it mean "Suspicious process running under user mailnull"

Posted on 2015-02-24
16
530 Views
Last Modified: 2016-09-25
I receive this alert from my WHM panel.
What does it mean? Do I have to do anything?

lfd on fff: Suspicious process running under user mailnull

Time:    Tue Feb 24 10:51:17 2015 +0200
PID:     29327 (Parent PID:29324)
Account: mailnull
Uptime:  74 seconds


Executable:

/home/virtfs/fff/usr/sbin/exim


Command Line (often faked in exploits):

/usr/sbin/exim -Mc 1YQBBq-000004-Pv


Network connections by the process (if any):

tcp: 89.19.23.155:53717 -> 89.19.23.155:110
tcp: 89.19.23.154:55920 -> 91.102.160.103:25


Files open by the process (if any):

/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/dev/null
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-D
/home/virtfs/fff/tmp/tmpfqsXsdu (deleted)
/home/virtfs/fff/var/log/exim_mainlog
/home/virtfs/fff/var/spool/exim/msglog/q/1YQBBq-000004-Pv
/home/virtfs/fff/var/spool/exim/input/q/1YQBBq-000004-Pv-J
/home/virtfs/fff/etc/mailips
/home/virtfs/fff/etc/mailhelo
0
Comment
Question by:myyis
  • 6
  • 5
  • 3
  • +1
16 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627940
Your server is sending and/or receiving mail (pop/smtp). Are you aware of this? Did you have some email functions enabled? Some website forms/scripts?
If NOT, you have to find out why you are sending/receiving emails. If yes, check those IP numbers (if they are where you want to connect to), or check other email logs if those are from "correct" email, or from spam/malware.
0
 

Author Comment

by:myyis
ID: 40627950
Yes the server sends emails
1. When users are assigned to some tasks
2. Password reset emails
etc.

But I have received this warning only once. Everyday dozens of emails are sent. May be an email my server sent was treated like a spam. Is that the case?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40627965
As long as you know this IP: 91.102.160.103 as being from a server from someone you needed to contact, you don't need to worry.
If you still don't trust it, find the message file 1YQBBq-000004 and read what's inside (if file still available). If not available try to get the recipients email address from the logs to see if it's someone you know.
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:myyis
ID: 40627982
At whm  I found the details of the mail. Everything seems ok. So why I received that email?

Event:      success
Sender User:      fff
Sender Domain:      tr1.fff.com
Sender:      ff@tr8.fff.com
Sent Time:      Feb 24, 2015 10:50:10 AM
Sender Host:      localhost
Sender IP:      127.0.0.1
Authentication:      localuser
Spam Score:      0
Recipient:      nurvet@hhh.com.tr
Delivered To:      nurvet@hhh.com.tr
deliveryuser:      -remote-
deliverydomain:      
Router:      lookuphost
Transport:      remote_smtp
Out Time:      Feb 24, 2015 10:51:10 AM
ID:      1YQBBq-000004-Pv
Delivery Host:      mail.hhh.com.tr
Delivery IP:      91.102.160.103
Size:      15.84 KB
Result:      Message accepted
0
 
LVL 35

Accepted Solution

by:
Kimputer earned 250 total points
ID: 40628009
I suspect this happened after a reboot?
While I don't know the exact reason, it's just one of those pre-programmed warning systems, of which the rules you may or may not figure out in time. There rules aren't like magic, and are probably fixed. See it as a false-positive that can happen once in a while, where your normal operation clashes with the warning system.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629203
It means you have been hacked.
Exim does in no case connect to 110/tcp aka POP3.
0
 

Author Comment

by:myyis
ID: 40629390
Hi gheist,
What do you suggest me to do. How can clean it up, any comment?
Thank you.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631147
Capture spool file of
1YQBBq-000004-Pv
It has the exploit.
and upgrade exim and glibc.
0
 

Author Comment

by:myyis
ID: 40631612
I have checked it again and saw nothing weird at the php file.
 I got the warning only once but the mail (1YQBBq-000004-Pv)  and dozens of similar mails are sent automatically  to the same recipient and recipients . Everything seems normal.

This is the function that sends the emails. Is there anything strange with that?

function SendEmail($to, $from, $body, $subject)
{
      $headers = "From: " . $from . "\n";
      $headers .= 'MIME-Version: 1.0' . "\n";
      $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\n";
      mail ($to, $subject, $body, $headers);
}
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631635
Do you sanitize parameters?
0
 

Author Comment

by:myyis
ID: 40631650
Yeah that may be the  point, the body is inserted by the user. Do you suggest anything to sanitize?
And what you say about the Exim and 110/tcp? Do you see anything weird?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 250 total points
ID: 40631663
You need to trace  one PHP mail() call on exim
Or just break blind command posting by adding 1s delay to each SMTP response.
I think it posts by /usr/lib/sendmail, so make sure you escape each field to the level sendmail command can clean up later.
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41813987
I'm surprised at all these comments and yet this is the "experts exchange"

That is just a CSF Firewall warning to say that it has detected a file that is not registered by default on the operating system , mailnull which happens to be a spam control engine .

All you have to do to fix these emails from coming in is to add exim to the ignore list


On the ConfigServer Security & Firewall plugins page,
scroll down until you see"lfd - Login Failure Daemon" section,
just below "lfd restart" button,
there is a dropdown menu
select "csf.pignore, Process Tracking" & click edit,
at the end of the file add exim to the ignore list

exe:/home/virtfs/fff/usr/sbin/exim

That should solve the problem
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814009
Explain what EXIM has to do with port 110...
0
 

Expert Comment

by:Mbekezeli Mhlanga
ID: 41814379
Port 110 is for pop3 , do i need to explain what exim has to do with pop3 ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41814394
Yes, exim does not implement pop3 server or pop3 client.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question