Desde hace unos días estoy alojado en un servidor dedicado y recibo los emails del root para notificarme de lo que ocurre en la máquina.
Resulta que cada cierto tiempo (varias veces al día) recibo una serie de emails que no sé qué quieren decir (son 4 emails que llegan a la vez) y me gustaría que, si alguien puede, me los explicara y me dijera si son problemas gordos o siemplemente es rutinario y se pueden ignorar.
Los emails que recibo son los siguientes:
1: de Cron Daemon:
Cita:
2: asunto: lfd on ***.net: Suspicious process running under user nobody/etc/cron.hourly/mcelog.cron:
mcelog: warning: record length longer than expected. Consider update.
mcelog: warning: record length longer than expected. Consider update.
Cita:
3: asunto: lfd on ***.net: Suspicious process running under user mysqlTime: Mon Jan 25 15:01:22 2010 +0100
PID: 3749
Account: nobody
Uptime: 700654 seconds
Executable:
/usr/sbin/proftpd (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
proftpd: (accepting connections)
Network connections by the process (if any):
(.........)
PID: 3749
Account: nobody
Uptime: 700654 seconds
Executable:
/usr/sbin/proftpd (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
proftpd: (accepting connections)
Network connections by the process (if any):
(.........)
Cita:
4: asunto: lfd on ***.net: Suspicious process running under user haldaemonTime: Mon Jan 25 15:01:22 2010 +0100
PID: 3802
Account: mysql
Uptime: 700653 seconds
Executable:
/usr/sbin/mysqld (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/***.net.pid --skip-external-locking
Network connections by the process (if any):
(....)
PID: 3802
Account: mysql
Uptime: 700653 seconds
Executable:
/usr/sbin/mysqld (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/***.net.pid --skip-external-locking
Network connections by the process (if any):
(....)
Cita:
Qué podéis decirme de estos emails? Soy nuevo en esto y estoy bastante descolocado... Time: Mon Jan 25 15:01:22 2010 +0100
PID: 4988
Account: haldaemon
Uptime: 700648 seconds
Executable:
/usr/sbin/hald (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
hald
Network connections by the process (if any):
Files open by the process (if any):
(.....)
PID: 4988
Account: haldaemon
Uptime: 700648 seconds
Executable:
/usr/sbin/hald (deleted)
The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.
Command Line (often faked in exploits):
hald
Network connections by the process (if any):
Files open by the process (if any):
(.....)