Lfd Has Been Issuing Suspicious Process Notices Since Post By Email Installation, lfd on host.wakulla.net: Suspicious process running under user rpc Options

[jayw]

Does Post by Email use rpcbind?

Thanks,

-j

CODE

Time:    Mon Apr 14 02:00:14 2014 -0400
PID:     686 (Parent PID:686)
Account: rpc
Uptime:  295317 seconds




Executable:

/sbin/rpcbind


Command Line (often faked in exploits):

rpcbind


Network connections by the process (if any):

udp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:861 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:861 -> 0.0.0.0:0
tcp6: 0.0.0.0:111 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/var/run/rpcbind.lock


Memory maps by the process (if any):

b74ba000-b74c6000 r-xp 00000000 00:bc 88740360                           /lib/libnss_files-2.12.so
b74c6000-b74c7000 r--p 0000b000 00:bc 88740360                           /lib/libnss_files-2.12.so
b74c7000-b74c8000 rw-p 0000c000 00:bc 88740360                           /lib/libnss_files-2.12.so
b74d0000-b74d2000 rw-p 00000000 00:00 0
b74d2000-b7663000 r-xp 00000000 00:bc 88740300                           /lib/libc-2.12.so
b7663000-b7665000 r--p 00191000 00:bc 88740300                           /lib/libc-2.12.so
b7665000-b7666000 rw-p 00193000 00:bc 88740300                           /lib/libc-2.12.so
b7666000-b7669000 rw-p 00000000 00:00 0
b7669000-b7680000 r-xp 00000000 00:bc 88740364                           /lib/libpthread-2.12.so
b7680000-b7681000 r--p 00016000 00:bc 88740364                           /lib/libpthread-2.12.so
b7681000-b7682000 rw-p 00017000 00:bc 88740364                           /lib/libpthread-2.12.so
b7682000-b7684000 rw-p 00000000 00:00 0
b7684000-b7687000 r-xp 00000000 00:bc 88740312                           /lib/libdl-2.12.so
b7687000-b7688000 r--p 00002000 00:bc 88740312                           /lib/libdl-2.12.so
b7688000-b7689000 rw-p 00003000 00:bc 88740312                           /lib/libdl-2.12.so
b7689000-b768a000 rw-p 00000000 00:00 0
b768a000-b7692000 r-xp 00000000 00:bc 88740472                           /lib/libgssglue.so.1.0.0
b7692000-b7693000 rw-p 00007000 00:bc 88740472                           /lib/libgssglue.so.1.0.0
b7693000-b76aa000 r-xp 00000000 00:bc 88740351                           /lib/libnsl-2.12.so
b76aa000-b76ab000 r--p 00016000 00:bc 88740351                           /lib/libnsl-2.12.so
b76ab000-b76ac000 rw-p 00017000 00:bc 88740351                           /lib/libnsl-2.12.so
b76ac000-b76ae000 rw-p 00000000 00:00 0
b76ae000-b76d4000 r-xp 00000000 00:bc 88736283                           /lib/libtirpc.so.1.0.10
b76d4000-b76d5000 rw-p 00026000 00:bc 88736283                           /lib/libtirpc.so.1.0.10
b76d5000-b76dd000 r-xp 00000000 00:bc 88740524                           /lib/libwrap.so.0.7.6
b76dd000-b76de000 r--p 00007000 00:bc 88740524                           /lib/libwrap.so.0.7.6
b76de000-b76df000 rw-p 00008000 00:bc 88740524                           /lib/libwrap.so.0.7.6
b76e7000-b76e8000 rw-p 00000000 00:00 0
b76e8000-b76e9000 r-xp 00000000 00:00 0                                  [vdso]
b76e9000-b7707000 r-xp 00000000 00:bc 88740406                           /lib/ld-2.12.so
b7707000-b7708000 r--p 0001d000 00:bc 88740406                           /lib/ld-2.12.so
b7708000-b7709000 rw-p 0001e000 00:bc 88740406                           /lib/ld-2.12.so
b7709000-b7716000 r-xp 00000000 00:bc 88872110                           /sbin/rpcbind
b7716000-b7717000 rw-p 0000d000 00:bc 88872110                           /sbin/rpcbind
b9099000-b90ba000 rw-p 00000000 00:00 0                                  [heap]
bfa05000-bfa1a000 rw-p 00000000 00:00 0                                  [stack]

[pavelKukov]

Far as I know - no.