LFD Mail Notification problem

**jestin_virtual** · 09-05-2009 01:10 PM

Hello ,

i`m receiving below emails from my Root user / LFD firewall ( More than 200 times / day ) ,

The email has received about different accounts ( who is using many emails )

one particular ip has been mentioned in all emails which is belong to same Datacenter ( example : 2.2.2.2:53 )

please let me know what is the problem and how to stop the notification ,
Thank You

-----------------------------Mail 1 -----------------------------

subject : lfd on server.....com: Excessive resource usage: renau (3427)

Time: Sat Sep 5 19:07:00 2009 +0430
Account: renau
Resource: Process Time
Exceeded: 6429 > 1800 (seconds)

Executable: /usr/bin/perl
Command Line: spamd child
PID: 3427
Killed: No

----------------------Mail 2 ----------------------------

Subject : lfd on server.........com: Suspicious process running under user renau

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

spamd child

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:54707
udp: 1.1.1.1:10692 -> 2.2.2.2:53

Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
/home/renault/.spamassassin/bayes_toks
/home/renault/.spamassassin/bayes_toks
/home/renault/.spamassassin/bayes_toks
/tmp/.spamassassin6987U4eJeQtmp

Memory maps by the process (if any):

00110000-00113000 r-xp 00000000 fd:00 5898556 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/MIME/Base64/Base64.so
00113000-00114000 rw-p 00002000 fd:00 5898556 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/MIME/Base64/Base64.so
00114000-00119000 r-xp 00000000 fd:00 5899320 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
00119000-0011a000 rw-p 00005000 fd:00 5899320 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
0011a000-00124000 r-xp 00000000 fd:00 6424500 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/HTML/Parser/Parser.so
00124000-00125000 rw-p 0000a000 fd:00 6424500 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/HTML/Parser/Parser.so
00125000-00127000 r-xp 00000000 fd:00 6425087 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Net/DNS/DNS.so
00127000-00128000 rw-p 00001000 fd:00 6425087 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Net/DNS/DNS.so
00128000-0012c000 r-xp 00000000 fd:00 6424895 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Digest/SHA1/SHA1.so
0012c000-0012d000 rw-p 00003000 fd:00 6424895 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Digest/SHA1/SHA1.so
0012d000-00134000 r-xp 00000000 fd:00 6455769 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/NetAddr/IP/Util/Util.so
00134000-00135000 rw-p 00006000 fd:00 6455769 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/NetAddr/IP/Util/Util.so
00162000-00171000 r-xp 00000000 fd:00 38666263 /lib/libresolv-2.5.so
00171000-00172000 r--p 0000e000 fd:00 38666263 /lib/libresolv-2.5.so
00172000-00173000 rw-p 0000f000 fd:00 38666263 /lib/libresolv-2.5.so
00173000-00175000 rw-p 00173000 00:00 0
001a6000-001a8000 r-xp 00000000 fd:00 38666287 /lib/libutil-2.5.so
001a8000-001a9000 r--p 00001000 fd:00 38666287 /lib/libutil-2.5.so
001a9000-001aa000 rw-p 00002000 fd:00 38666287 /lib/libutil-2.5.so
001ad000-001c7000 r-xp 00000000 fd:00 38666292 /lib/ld-2.5.so
001c7000-001c8000 r--p 00019000 fd:00 38666292 /lib/ld-2.5.so
001c8000-001c9000 rw-p 0001a000 fd:00 38666292 /lib/ld-2.5.so
001d0000-0030e000 r-xp 00000000 fd:00 38666296 /lib/libc-2.5.so
0030e000-00310000 r--p 0013e000 fd:00 38666296 /lib/libc-2.5.so
00310000-00311000 rw-p 00140000 fd:00 38666296 /lib/libc-2.5.so
00311000-00314000 rw-p 00311000 00:00 0
00316000-00318000 r-xp 00000000 fd:00 38667585 /lib/libdl-2.5.so
00318000-00319000 r--p 00001000 fd:00 38667585 /lib/libdl-2.5.so
00319000-0031a000 rw-p 00002000 fd:00 38667585 /lib/libdl-2.5.so
0031c000-0032f000 r-xp 00000000 fd:00 38667569 /lib/libpthread-2.5.so
0032f000-00330000 r--p 00012000 fd:00 38667569 /lib/libpthread-2.5.so
00330000-00331000 rw-p 00013000 fd:00 38667569 /lib/libpthread-2.5.so
00331000-00333000 rw-p 00331000 00:00 0
00335000-0035a000 r-xp 00000000 fd:00 38667584 /lib/libm-2.5.so
0035a000-0035b000 r--p 00024000 fd:00 38667584 /lib/libm-2.5.so
0035b000-0035c000 rw-p 00025000 fd:00 38667584 /lib/libm-2.5.so
00378000-00381000 r-xp 00000000 fd:00 38666243 /lib/libcrypt-2.5.so
00381000-00382000 r--p 00008000 fd:00 38666243 /lib/libcrypt-2.5.so
00382000-00383000 rw-p 00009000 fd:00 38666243 /lib/libcrypt-2.5.so
00383000-003aa000 rw-p 00383000 00:00 0
003d5000-003dc000 r-xp 00000000 fd:00 38667594 /lib/librt-2.5.so
003dc000-003dd000 r--p 00006000 fd:00 38667594 /lib/librt-2.5.so
003dd000-003de000 rw-p 00007000 fd:00 38667594 /lib/librt-2.5.so
003e0000-003f3000 r-xp 00000000 fd:00 38667582 /lib/libnsl-2.5.so
003f3000-003f4000 r--p 00012000 fd:00 38667582 /lib/libnsl-2.5.so
003f4000-003f5000 rw-p 00013000 fd:00 38667582 /lib/libnsl-2.5.so
003f5000-003f7000 rw-p 003f5000 00:00 0
0043b000-00566000 r-xp 00000000 fd:00 5898918 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
00566000-0056b000 rw-p 0012a000 fd:00 5898918 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
0056b000-0056d000 rw-p 0056b000 00:00 0
005ed000-005f1000 r-xp 00000000 fd:00 5899318 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so
005f1000-005f2000 rw-p 00004000 fd:00 5899318 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so
00669000-0066e000 r-xp 00000000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
0066e000-0066f000 rw-p 00004000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
0066f000-00671000 r-xp 00000000 fd:00 5899055 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Cwd/Cwd.so
00671000-00672000 rw-p 00001000 fd:00 5899055 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Cwd/Cwd.so
00672000-00766000 r-xp 00000000 fd:00 38666446 /lib/libdb-4.3.so
00766000-00769000 rw-p 000f3000 fd:00 38666446 /lib/libdb-4.3.so
007b5000-007b8000 r-xp 00000000 fd:00 5899098 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Fcntl/Fcntl.so
007b8000-007b9000 rw-p 00002000 fd:00 5899098 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Fcntl/Fcntl.so
0082a000-00837000 r-xp 00000000 fd:00 5899057 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/DB_File/DB_File.so
00837000-00838000 rw-p 0000c000 fd:00 5899057 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/DB_File/DB_File.so
00856000-0085a000 r-xp 00000000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
0085a000-0085b000 rw-p 00003000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
009c9000-009ca000 r-xp 009c9000 00:00 0 [vdso]
009fe000-00a07000 r-xp 00000000 fd:00 5898551 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/Util.so
00a07000-00a08000 rw-p 00008000 fd:00 5898551 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/Util.so
00a57000-00a5b000 r-xp 00000000 fd:00 6424342 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/BSD/Resource/Resource.so
00a5b000-00a5c000 rw-p 00003000 fd:00 6424342 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/BSD/Resource/Resource.so
00ae4000-00aeb000 r-xp 00000000 fd:00 6424335 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/version/vxs/vxs.so
00aeb000-00aec000 rw-p 00007000 fd:00 6424335 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/version/vxs/vxs.so
00b17000-00b1c000 r-xp 00000000 fd:00 5899100 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/File/Glob/Glob.so
00b1c000-00b1d000 rw-p 00004000 fd:00 5899100 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/File/Glob/Glob.so
00bd4000-00bf0000 r-xp 00000000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
00bf0000-00bf1000 rw-p 0001b000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
00d08000-00d0a000 r-xp 00000000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
00d0a000-00d0b000 rw-p 00001000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
00da0000-00dbb000 r-xp 00000000 fd:00 11665736 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
00dbb000-00dbc000 rw-p 0001b000 fd:00 11665736 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
00f0b000-00f14000 r-xp 00000000 fd:00 38666279 /lib/libnss_files-2.5.so
00f14000-00f15000 r--p 00008000 fd:00 38666279 /lib/libnss_files-2.5.so
00f15000-00f16000 rw-p 00009000 fd:00 38666279 /lib/libnss_files-2.5.so
08048000-0804b000 r-xp 00000000 fd:00 5807714 /usr/bin/perl
0804b000-0804c000 rw-p 00002000 fd:00 5807714 /usr/bin/perl
09499000-0beb4000 rw-p 09499000 00:00 0 [heap]
b7441000-b75c2000 rw-p b7b37000 00:00 0
b776b000-b7880000 rw-p b776b000 00:00 0
b7995000-b7a66000 rw-p b7995000 00:00 0
b7c09000-b7cd9000 rw-p b7c09000 00:00 0
b7daa000-b7f2b000 rw-p b7e6f000 00:00 0
b7f33000-b7f57000 rw-p b7f33000 00:00 0
b7f60000-b7f61000 rw-p b7f60000 00:00 0
bfc82000-bfceb000 rw-p bff96000 00:00 0 [stack]

**Spiral** · 09-05-2009 01:55 PM

LFD is a little too sensitive by default and very commonly triggers on normal server processes unless excluded from it's "watch list" ...

In your case, LFD is seeing Spamassassin (a normal process) running on your server which is up almost continuously running since all incoming mail to your server is generally passed through the spamassassin (spamd) server process and the content of messages checked against the spam rules. LFD just gets worried because it sees a process open that is staying open and sending you an alert about it.

We normally exclude the "spamd" process from being watched by LFD.

Basically there is nothing to worry about.

As another side note, 127.0.0.1 is your own server.

**jestin_virtual** · 09-05-2009 02:19 PM

Originally Posted by Spiral

LFD is a little too sensitive by default and very commonly triggers on normal server processes unless excluded from it's "watch list" ...

In your case, LFD is seeing Spamassassin (a normal process) running on your server which is up almost continuously running since all incoming mail to your server is generally passed through the spamassassin (spamd) server process and the content of messages checked against the spam rules. LFD just gets worried because it sees a process open that is staying open and sending you an alert about it.

We normally exclude the "spamd" process from being watched by LFD.

Basically there is nothing to worry about.

As another side note, 127.0.0.1 is your own server.

Hello ,

1 ) How to stop the notification , i`m not interest to receive 200 emails per day

2 ) the ip is not 127.0.0.1 , i have changed the ip to 2.2.2.2

udp: 1.1.1.1:10692 -> 2.2.2.2:53

1.1.1.1 is my server and 2.2.2.2 is another ip in same Datacenter

**Infopro** · 09-05-2009 05:18 PM

Both mails 1&2 can be taken care of by reading the manual. Or check this thread: Process Tracking and csf.pignore - ConfigServer Scripts Forum

LFD is a little too sensitive by default and very commonly triggers on normal server processes unless excluded from it's "watch list"

Bite yur tongue. We like sensitive.

LinkBack

Thread Tools

LFD Mail Notification problem

Notification mail from LFD

CSF/LFD -- lfd.log question

Update Notification by E-mail?

e-mail notification

Server notification mail