suspicious user account and file in my system

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

suspicious user account and file in my system

L0 Member

Is this BOT or not ?

 

# cat /etc/passwd | grep trapsanalyzer1
trapsanalyzer1:x:993:990::/home/trapsanalyzer1:/usr/sbin/nologin

 

# chage -l trapsanalyzer1
Last password change                                    : Jul 13, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1
 
# userdel -r trapsanalyzer1
userdel: user trapsanalyzer1 is currently used by process 1137

]# ps -ef | grep 1137
trapsan+  1137   744  0 Sep25 ?        00:00:00 /opt/traps/analyzerd/analyzerd 17 19 21
root     26328 25808  0 22:20 pts/0    00:00:00 grep --color=auto 1137


File :analyzerd

# cd /opt/traps/analyzerd/
# ll
total 1972
-r-xr-xr-x. 1 root root 2018616 Jul 13  2020 analyzerd

# stat analyzerd
  File: ‘analyzerd’
  Size: 2018616         Blocks: 3944       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 509439873   Links: 1
Access: (0555/-r-xr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-10-19 22:10:58.555360195 +0530
Modify: 2020-07-13 10:38:39.431252769 +0530
Change: 2020-07-13 10:39:04.990251201 +0530
 Birth: -

 

So , This is virustotal hash of analyzd file.

 

0f762101141fae2791a810d99e69ec28358acef9c6491f79e9d13941c22ac4de

 

https://www.virustotal.com/graph/embed/g341095e131824f508d1d0cb150bc7da3ebddab77a09a46f98c5221ac813b...

 

Is this is not a BOT and no need to take action to remove this?

1 accepted solution

Accepted Solutions

Community Team Member

Hi @pra838 ,

 

I believe a user trapsanalyzer1 is normal and created by Cortex XDR endpoint protection (or previously traps).

When a file needs to be analyzed it will give the task to "analyzerd".  The job of it is to analyze the file and return a verdict.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

2 REPLIES 2

Community Team Member

Hi @pra838 ,

 

I believe a user trapsanalyzer1 is normal and created by Cortex XDR endpoint protection (or previously traps).

When a file needs to be analyzed it will give the task to "analyzerd".  The job of it is to analyze the file and return a verdict.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thank You So much ...!💪

 

But what is the connection established to UK IPs.

  • And what is about Virustotal and VTGraphs.

Do you have any idea about it?

0f762101141fae2791a810d99e69ec28358acef9c6491f79e9d13941c22ac4de

https://www.virustotal.com/graph/embed/g341095e131824f508d1d0cb150bc7da3ebddab77a09a46f98c5221ac813b...

  • 1 accepted solution
  • 1739 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!