Cita:
Estos mensajes llegan continuamente y todos los dias.Time: Sun Dec 28 11:01:14 2008 -0500
PID: 3428
Account: nobody
Uptime: 1017051 seconds
Executable:
/usr/sbin/proftpd Êåö À¥?À (deleted)
The file system shows that this executable file that the process is running has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information:
[/usr/sbin/proftpd Êåö À¥?À (deleted)]
Command Line (often faked in exploits):
proftpd: (accepting connections)
Network connections by the process (if any):
tcp: 0.0.0.0:21 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
Memory maps by the process (if any):
08048000-080c0000 r-xp 00000000 08:03 461677 /usr/sbin/proftpd
080c0000-080c8000 rwxp 00077000 08:03 461677 /usr/sbin/proftpd
080c8000-0810e000 rwxp 080c8000 00:00 0 [heap]
0810e000-0810f000 rwxp 0810e000 00:00 0 [heap]
0810f000-08115000 rwxp 0810f000 00:00 0 [heap]
49fb3000-4a0dc000 r-xp 00000000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0dc000-4a0de000 r-xp 00128000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0de000-4a0e0000 rwxp 0012a000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0e0000-4a0e2000 rwxp 4a0e0000 00:00 0
4a0e4000-4a0e6000 r-xp 00000000 08:05 165548 /lib/libdl-2.3.4.so
4a0e6000-4a0e7000 r-xp 00001000 08:05 165548 /lib/libdl-2.3.4.so
4a0e7000-4a0e8000 rwxp 00002000 08:05 165548 /lib/libdl-2.3.4.so
4a10f000-4a11e000 r-xp 00000000 08:03 510333 /usr/lib/libz.so.1.2.1.2
4a11e000-4a11f000 rwxp 0000e000 08:03 510333 /usr/lib/libz.so.1.2.1.2
4a135000-4a144000 r-xp 00000000 08:05 165550 /lib/libresolv-2.3.4.so
4a144000-4a145000 r-xp 0000f000 08:05 165550 /lib/libresolv-2.3.4.so
4a145000-4a146000 rwxp 00010000 08:05 165550 /lib/libresolv-2.3.4.so
4a146000-4a148000 rwxp 4a146000 00:00 0
4a14a000-4a152000 r-xp 00000000 08:05 165552 /lib/libcrypt-2.3.4.so
4a152000-4a153000 r-xp 00007000 08:05 165552 /lib/libcrypt-2.3.4.so
4a153000-4a154000 rwxp 00008000 08:05 165552 /lib/libcrypt-2.3.4.so
4a154000-4a17b000 rwxp 4a154000 00:00 0
4a17d000-4a17f000 r-xp 00000000 08:05 163936 /lib/libcom_err.so.2.1
4a17f000-4a180000 rwxp 00001000 08:05 163936 /lib/libcom_err.so.2.1
4a182000-4a257000 r-xp 00000000 08:05 165555 /lib/libcrypto.so.0.9.7a.#prelink#.v9ZEVr (deleted)
4a257000-4a269000 rwxp 000d5000 08:05 165555 /lib/libcrypto.so.0.9.7a.#prelink#.v9ZEVr (deleted)
4a269000-4a26c000 rwxp 4a269000 00:00 0
4a26e000-4a2d1000 r-xp 00000000 08:03 512875 /usr/lib/libkrb5.so.3.2
4a2d1000-4a2d3000 rwxp 00063000 08:03 512875 /usr/lib/libkrb5.so.3.2
4a2d5000-4a2f5000 r-xp 00000000 08:03 510275 /usr/lib/libk5crypto.so.3.0
4a2f5000-4a2f6000 rwxp 00020000 08:03 510275 /usr/lib/libk5crypto.so.3.0
4a2f8000-4a30b000 r-xp 00000000 08:03 512876 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.SWyVuN (deleted)
4a30b000-4a30c000 rwxp 00013000 08:03 512876 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.SWyVuN (deleted)
4a3ae000-4a3df000 r-xp 00000000 08:05 165556 /lib/libssl.so.0.9.7a
4a3df000-4a3e2000 rwxp 00031000 08:05 165556 /lib/libssl.so.0.9.7a
4a3e4000-4a3f2000 r-xp 00000000 08:05 165557 /lib/libaudit.so.0.0.0
4a3f2000-4a3f4000 rwxp 0000d000 08:05 165557 /lib/libaudit.so.0.0.0
4a439000-4a441000 r-xp 00000000 08:05 165558 /lib/libpam.so.0.77
4a441000-4a442000 rwxp 00007000 08:05 165558 /lib/libpam.so.0.77
b7ee0000-b7ee9000 r-xp 00000000 08:05 163890 /lib/libnss_files-2.3.4.so
b7ee9000-b7eea000 r-xp 00008000 08:05 163890 /lib/libnss_files-2.3.4.so
b7eea000-b7eeb000 rwxp 00009000 08:05 163890 /lib/libnss_files-2.3.4.so
b7eeb000-b7eef000 rwxp b7eeb000 00:00 0
b7efb000-b7f11000 r-xp 00000000 08:05 165544 /lib/ld-2.3.4.so
b7f11000-b7f12000 r-xp 00015000 08:05 165544 /lib/ld-2.3.4.so
b7f12000-b7f13000 rwxp 00016000 08:05 165544 /lib/ld-2.3.4.so
bfcfb000-bfd10000 rw-p bffeb000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
PID: 3428
Account: nobody
Uptime: 1017051 seconds
Executable:
/usr/sbin/proftpd Êåö À¥?À (deleted)
The file system shows that this executable file that the process is running has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information:
[/usr/sbin/proftpd Êåö À¥?À (deleted)]
Command Line (often faked in exploits):
proftpd: (accepting connections)
Network connections by the process (if any):
tcp: 0.0.0.0:21 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
Memory maps by the process (if any):
08048000-080c0000 r-xp 00000000 08:03 461677 /usr/sbin/proftpd
080c0000-080c8000 rwxp 00077000 08:03 461677 /usr/sbin/proftpd
080c8000-0810e000 rwxp 080c8000 00:00 0 [heap]
0810e000-0810f000 rwxp 0810e000 00:00 0 [heap]
0810f000-08115000 rwxp 0810f000 00:00 0 [heap]
49fb3000-4a0dc000 r-xp 00000000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0dc000-4a0de000 r-xp 00128000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0de000-4a0e0000 rwxp 0012a000 08:05 165545 /lib/tls/libc-2.3.4.so
4a0e0000-4a0e2000 rwxp 4a0e0000 00:00 0
4a0e4000-4a0e6000 r-xp 00000000 08:05 165548 /lib/libdl-2.3.4.so
4a0e6000-4a0e7000 r-xp 00001000 08:05 165548 /lib/libdl-2.3.4.so
4a0e7000-4a0e8000 rwxp 00002000 08:05 165548 /lib/libdl-2.3.4.so
4a10f000-4a11e000 r-xp 00000000 08:03 510333 /usr/lib/libz.so.1.2.1.2
4a11e000-4a11f000 rwxp 0000e000 08:03 510333 /usr/lib/libz.so.1.2.1.2
4a135000-4a144000 r-xp 00000000 08:05 165550 /lib/libresolv-2.3.4.so
4a144000-4a145000 r-xp 0000f000 08:05 165550 /lib/libresolv-2.3.4.so
4a145000-4a146000 rwxp 00010000 08:05 165550 /lib/libresolv-2.3.4.so
4a146000-4a148000 rwxp 4a146000 00:00 0
4a14a000-4a152000 r-xp 00000000 08:05 165552 /lib/libcrypt-2.3.4.so
4a152000-4a153000 r-xp 00007000 08:05 165552 /lib/libcrypt-2.3.4.so
4a153000-4a154000 rwxp 00008000 08:05 165552 /lib/libcrypt-2.3.4.so
4a154000-4a17b000 rwxp 4a154000 00:00 0
4a17d000-4a17f000 r-xp 00000000 08:05 163936 /lib/libcom_err.so.2.1
4a17f000-4a180000 rwxp 00001000 08:05 163936 /lib/libcom_err.so.2.1
4a182000-4a257000 r-xp 00000000 08:05 165555 /lib/libcrypto.so.0.9.7a.#prelink#.v9ZEVr (deleted)
4a257000-4a269000 rwxp 000d5000 08:05 165555 /lib/libcrypto.so.0.9.7a.#prelink#.v9ZEVr (deleted)
4a269000-4a26c000 rwxp 4a269000 00:00 0
4a26e000-4a2d1000 r-xp 00000000 08:03 512875 /usr/lib/libkrb5.so.3.2
4a2d1000-4a2d3000 rwxp 00063000 08:03 512875 /usr/lib/libkrb5.so.3.2
4a2d5000-4a2f5000 r-xp 00000000 08:03 510275 /usr/lib/libk5crypto.so.3.0
4a2f5000-4a2f6000 rwxp 00020000 08:03 510275 /usr/lib/libk5crypto.so.3.0
4a2f8000-4a30b000 r-xp 00000000 08:03 512876 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.SWyVuN (deleted)
4a30b000-4a30c000 rwxp 00013000 08:03 512876 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.SWyVuN (deleted)
4a3ae000-4a3df000 r-xp 00000000 08:05 165556 /lib/libssl.so.0.9.7a
4a3df000-4a3e2000 rwxp 00031000 08:05 165556 /lib/libssl.so.0.9.7a
4a3e4000-4a3f2000 r-xp 00000000 08:05 165557 /lib/libaudit.so.0.0.0
4a3f2000-4a3f4000 rwxp 0000d000 08:05 165557 /lib/libaudit.so.0.0.0
4a439000-4a441000 r-xp 00000000 08:05 165558 /lib/libpam.so.0.77
4a441000-4a442000 rwxp 00007000 08:05 165558 /lib/libpam.so.0.77
b7ee0000-b7ee9000 r-xp 00000000 08:05 163890 /lib/libnss_files-2.3.4.so
b7ee9000-b7eea000 r-xp 00008000 08:05 163890 /lib/libnss_files-2.3.4.so
b7eea000-b7eeb000 rwxp 00009000 08:05 163890 /lib/libnss_files-2.3.4.so
b7eeb000-b7eef000 rwxp b7eeb000 00:00 0
b7efb000-b7f11000 r-xp 00000000 08:05 165544 /lib/ld-2.3.4.so
b7f11000-b7f12000 r-xp 00015000 08:05 165544 /lib/ld-2.3.4.so
b7f12000-b7f13000 rwxp 00016000 08:05 165544 /lib/ld-2.3.4.so
bfcfb000-bfd10000 rw-p bffeb000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Cuando ello ocurre, veo con un usuario no body usa consumo continuo :
Cita:
Por favor, alquien podria orientarme sobre este mensaje? es algo de que preocuparse? alguna pista para seguir investigando en SGOO (san google)31322 nobody 0 0.0 0.0 proftpd: (accepting connections)
Gracias