Processo suspeito em execução sob o usuário nomeado

Recebo muitos e-mails relatando isso e quero que esse problema seja corrigido automaticamente. Esses processos são executados pelo meu servidor e resultam de atualizações, exclusão de sessões e outros tipos legítimos de tratamento de sessão relatados como falsos positivos.

Veja um exemplo de relatório:

Time:    Sat Oct 20 00:00:03 2012 -0400
PID:     20077
Account: named
Uptime:  326117 seconds

Executable:

/usr/sbin/nsd
Time:    Sat Oct 20 00:00:03 2012 -0400
PID:     20077
Account: named
Uptime:  326117 seconds

Executable:

/usr/sbin/nsd%pre%507d27e9%pre%53%pre%%pre%%pre%%pre%%pre% (deleted)

The file system shows this process is running an executable file that has
been deleted. This typically happens when the original file has been replaced
by a new file when the application is updated. To prevent this being reported
again, restart the process that runs this excecutable file. See csf.conf and
the PT_DELETED text for more information about the security implications of
processes running deleted executable files.


Command Line (often faked in exploits):

/usr/sbin/nsd -c /etc/nsd/nsd.conf


Network connections by the process (if any):

udp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
udp: 127.0.0.1:53 -> 0.0.0.0:0
udp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
tcp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
tcp: 127.0.0.1:53 -> 0.0.0.0:0
tcp: xx.xx.xxx.xx:53 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

0045e000-00479000 r-xp 00000000 fd:00 2582025    /lib/ld-2.5.so
00479000-0047a000 r--p 0001a000 fd:00 2582025    /lib/ld-2.5.so
0047a000-0047b000 rw-p 0001b000 fd:00 2582025    /lib/ld-2.5.so
0047d000-005d5000 r-xp 00000000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d5000-005d7000 r--p 00157000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d7000-005d8000 rw-p 00159000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d8000-005db000 rw-p 005d8000 00:00 0 
005dd000-005e0000 r-xp 00000000 fd:00 2582087    /lib/libdl-2.5.so
005e0000-005e1000 r--p 00002000 fd:00 2582087    /lib/libdl-2.5.so
005e1000-005e2000 rw-p 00003000 fd:00 2582087    /lib/libdl-2.5.so
0062b000-0063d000 r-xp 00000000 fd:00 2582079    /lib/libz.so.1.2.3
0063d000-0063e000 rw-p 00011000 fd:00 2582079    /lib/libz.so.1.2.3
00855000-0085f000 r-xp 00000000 fd:00 2582022    /lib/libnss_files-2.5.so
0085f000-00860000 r--p 00009000 fd:00 2582022    /lib/libnss_files-2.5.so
00860000-00861000 rw-p 0000a000 fd:00 2582022    /lib/libnss_files-2.5.so
00ac0000-00bea000 r-xp 00000000 fd:00 2582166    /lib/libcrypto.so.0.9.8e
00bea000-00bfe000 rw-p 00129000 fd:00 2582166    /lib/libcrypto.so.0.9.8e
00bfe000-00c01000 rw-p 00bfe000 00:00 0 
00e68000-00e69000 r-xp 00e68000 00:00 0          [vdso]
08048000-08074000 r-xp 00000000 fd:00 927261     /usr/sbin/nsd
08074000-08079000 rw-p 0002b000 fd:00 927261     /usr/sbin/nsd
08079000-0808c000 rw-p 08079000 00:00 0 
08a20000-08a67000 rw-p 08a20000 00:00 0 
b7f8d000-b7ff2000 rw-p b7f8d000 00:00 0 
b7ffd000-b7ffe000 rw-p b7ffd000 00:00 0 
bfa6d000-bfa91000 rw-p bffda000 00:00 0          [stack]
507d27e9%pre%53%pre%%pre%%pre%%pre%%pre% (deleted)

The file system shows this process is running an executable file that has
been deleted. This typically happens when the original file has been replaced
by a new file when the application is updated. To prevent this being reported
again, restart the process that runs this excecutable file. See csf.conf and
the PT_DELETED text for more information about the security implications of
processes running deleted executable files.


Command Line (often faked in exploits):

/usr/sbin/nsd -c /etc/nsd/nsd.conf


Network connections by the process (if any):

udp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
udp: 127.0.0.1:53 -> 0.0.0.0:0
udp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
tcp: xx.xx.xxx.xx:53 -> 0.0.0.0:0
tcp: 127.0.0.1:53 -> 0.0.0.0:0
tcp: xx.xx.xxx.xx:53 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

0045e000-00479000 r-xp 00000000 fd:00 2582025    /lib/ld-2.5.so
00479000-0047a000 r--p 0001a000 fd:00 2582025    /lib/ld-2.5.so
0047a000-0047b000 rw-p 0001b000 fd:00 2582025    /lib/ld-2.5.so
0047d000-005d5000 r-xp 00000000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d5000-005d7000 r--p 00157000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d7000-005d8000 rw-p 00159000 fd:00 2582073    /lib/i686/nosegneg/libc-2.5.so
005d8000-005db000 rw-p 005d8000 00:00 0 
005dd000-005e0000 r-xp 00000000 fd:00 2582087    /lib/libdl-2.5.so
005e0000-005e1000 r--p 00002000 fd:00 2582087    /lib/libdl-2.5.so
005e1000-005e2000 rw-p 00003000 fd:00 2582087    /lib/libdl-2.5.so
0062b000-0063d000 r-xp 00000000 fd:00 2582079    /lib/libz.so.1.2.3
0063d000-0063e000 rw-p 00011000 fd:00 2582079    /lib/libz.so.1.2.3
00855000-0085f000 r-xp 00000000 fd:00 2582022    /lib/libnss_files-2.5.so
0085f000-00860000 r--p 00009000 fd:00 2582022    /lib/libnss_files-2.5.so
00860000-00861000 rw-p 0000a000 fd:00 2582022    /lib/libnss_files-2.5.so
00ac0000-00bea000 r-xp 00000000 fd:00 2582166    /lib/libcrypto.so.0.9.8e
00bea000-00bfe000 rw-p 00129000 fd:00 2582166    /lib/libcrypto.so.0.9.8e
00bfe000-00c01000 rw-p 00bfe000 00:00 0 
00e68000-00e69000 r-xp 00e68000 00:00 0          [vdso]
08048000-08074000 r-xp 00000000 fd:00 927261     /usr/sbin/nsd
08074000-08079000 rw-p 0002b000 fd:00 927261     /usr/sbin/nsd
08079000-0808c000 rw-p 08079000 00:00 0 
08a20000-08a67000 rw-p 08a20000 00:00 0 
b7f8d000-b7ff2000 rw-p b7f8d000 00:00 0 
b7ffd000-b7ffe000 rw-p b7ffd000 00:00 0 
bfa6d000-bfa91000 rw-p bffda000 00:00 0          [stack]

/etc/nsd/restart ou kill -1 20077 resolveria o problema?