The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Core files filling /usr

Discussion in 'General Discussion' started by jdhf99, Jul 16, 2008.

  1. jdhf99

    jdhf99 Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Two servers of mine that I have upgraded to the latest stable build yesterday now produce core files constantly in the /usr/local/cpanel/whostmgr/docroot folder until my /usr partition is full.

    Something with the upgrade caused this as I have not had a problem with it previous and it's only on the 2 servers I upgraded last night. How can I find out what is wrong?

    Thanks.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. jdhf99

    jdhf99 Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I did search, this has nothing to do with PHP files.

    I'm pretty sure it has to do with named\bind but I don't understand what the cPanel update would have done to cause this. It is definitely from that as I updated on just 2 of my 8 servers and those 2 immediately started seeing the same issue.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You might put in a trouble ticket with cPanel via your WHM then. If there is a problem I'm sure they'd like to know about and to fix.
     
  5. h4f

    h4f Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    I have the same issue after deleting those core.* files in /usr/local/cpanel/whostmgr/docroot/ no accounts are listed any more.....

    Today I just received this this email:

    IMPORTANT: Do not ignore this email.
    This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D).
    The offending files have been removed and replaced with the OS default.
    To be safe you should verify that your system has not been compromised.

    Modified Files:
    S.?..... /bin/netstat
    S.?..... /sbin/arp
    S.?..... /sbin/ether-wake
    S.?..... /sbin/ifconfig
    S.?..... /sbin/ipmaddr
    S.?..... /sbin/iptunnel
    S.?..... /sbin/mii-diag
    S.?..... /sbin/mii-tool
    S.?..... /sbin/nameif
    S.?..... /sbin/netplugd
    S.?..... /sbin/route
    S.?..... /sbin/slattach

    0 day Worm outthere ?
     
  6. mattmattt

    mattmattt Member

    Joined:
    Aug 25, 2004
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I cannot imagine a linux distro maintainer every using the l33t sp34k word
    (OwN3D) in a very very serious email.

    A way to determine if the files are backdoored in some way would be
    to go find the confirmed good package online and md5sum each binary
    against a known good package.

    Sometimes md5sums of rpms are not updated and this results. Rarely
    but it does happen in the nix world.
     
  7. jdhf99

    jdhf99 Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Just wanted to update this. I ended up getting a ticket open through my DC with cPanel. They confirmed it as a bug with the stable branch and they are fixing it in build 26203.
     
  8. h4f

    h4f Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    When is it going to be released?

    Because deleting the core dumps + renaming the dnsadmin-ssl to dnsadmin-old, and download the Beta dnsadmin-ssl binary from
    http://httpupdate.cpanel.net/cpanelsync/
    under BETA/whostmgr/bin/dnsadmin-ssl.

    Is not a solution. I wonder why this issue exist in the stable version, there is a reason that we are using that version.....
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The core dumps are caused by an obscure threading bug in dnsadmin-ssl and will be resolved in all branches. The bug is not limited to the Stable branch.
     
  10. VeZoZ

    VeZoZ Well-Known Member

    Joined:
    Dec 14, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Any ETA on this being pushed out to all branches?
     
  11. jdhf99

    jdhf99 Well-Known Member

    Joined:
    Mar 16, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I'm just updating this thread for other people searching and for history. I opened a ticket with cPanel the other day and they made some temporary changes until this fix is out. These changes messed up named on my server so now it is putting zones outside the view statements plus not adding\removing entries in named.conf when it is adding\removing the actual .db file for the zones.

    I've asked my DataCenter to update the cPanel ticket with this info, I hope they come out with a fix soon as this is causing me some huge headaches.
     
  12. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    No ETA. You can disable the use of the dnsadmin-ssl via Tweak Settings until this matter is resolved. Be aware though that means the DNS synchronization will not have the protection of SSL if dnsadmin-ssl is disabled.
     
  13. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    I can't figure out which Tweak Setting has to do with dnsadmin-ssl.
     
  14. methos

    methos Member

    Joined:
    Sep 25, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I have just started getting these core dumps on all of our servers - looking at one of the core dumps it appears to reference cpsrvd-ssl ...

    i can't delete the core dumps as fast as they are created again .... is there a way to disable cpsrvd - ssl and what would be the consequences of doing so ...?

    also, when can we expect a fix for this in the release branch? this is a huge problem for us .....
     
  15. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    For the record, the "OwN3D" comes from a cPanel script that checks for hacks, not from the Linux distro. If you ask me the use of that word only exacerbates the panic that you've been hacked when you receive an email alerting you to the possibility. That script probably could use some updated wording.
     
  16. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    core.***** files in /usr/local/cpanel/base

    hi there

    I'm running on a box pushed for space in /usr

    There are over 200MB of core files dated March 4th in /usr/local/cpanel/base. Can I safely delete or use /usr/local/cpanel/bin/corecleanup?

    Thanks
    Dude
     
  17. SpringChicken

    SpringChicken Member

    Joined:
    Dec 16, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Have disabled dnsadmin in tweaksettings but processes continue.

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    20963 root 25 0 15596 10m 5884 R 93 0.5 7:49.09 dnsadmin-ssl
    21861 root 25 0 15772 11m 5924 R 90 0.6 5:09.33 dnsadmin-ssl
    20849 root 25 0 15604 11m 5936 R 80 0.5 8:09.78 dnsadmin-ssl
    20660 root 25 0 15776 11m 5916 R 57 0.6 6:57.44 dnsadmin-ssl
    17943 root 25 0 15772 11m 5880 R 48 0.5 10:47.31 dnsadmin-ssl

    just want to know how to kill these processes
     
  18. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    killall -9 dnsadmin-ssl
     
  19. Michael-MS

    Michael-MS Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    144
    Likes Received:
    0
    Trophy Points:
    16
    Is there a solution for this problem yet? I am having the same issue on one server. Core files are building up and dnsadmin-ssl processes are crashing the server with too much load.

    Michael
     
  20. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If:

    1. This is happening on a non-DNSOnly server; and
    2. You are already running 11.23.4-STABLE-26138 on all non-DNSOnly cPanel servers; and
    3. Are comfortable upgrading your servers to CURRENT; then
    4. Upgrade all servers to 11.23.6-CURRENT-27087

    We identified another scenario that could cause such behavior and fixed it in CURRENT and EDGE builds 27007 and higher.
     
Loading...

Share This Page