Core files filling /usr

[jdhf99]

Two servers of mine that I have upgraded to the latest stable build yesterday now produce core files constantly in the /usr/local/cpanel/whostmgr/docroot folder until my /usr partition is full.

Something with the upgrade caused this as I have not had a problem with it previous and it's only on the 2 servers I upgraded last night. How can I find out what is wrong?

Thanks.

 

[Infopro]

You might have searched the forums for the word core, at least.

Two examples with answers for you I think.

http://forums.cpanel.net/showthread.php?t=67600&highlight=Core+files

http://forums.cpanel.net/showthread.php?t=73189&highlight=Core+files

 

[jdhf99]

I did search, this has nothing to do with PHP files.

I'm pretty sure it has to do with named\bind but I don't understand what the cPanel update would have done to cause this. It is definitely from that as I updated on just 2 of my 8 servers and those 2 immediately started seeing the same issue.

 

[Infopro]

You might put in a trouble ticket with cPanel via your WHM then. If there is a problem I'm sure they'd like to know about and to fix.

 

[h4f]

I did search, this has nothing to do with PHP files.

I'm pretty sure it has to do with named\bind but I don't understand what the cPanel update would have done to cause this. It is definitely from that as I updated on just 2 of my 8 servers and those 2 immediately started seeing the same issue.

I have the same issue after deleting those core.* files in /usr/local/cpanel/whostmgr/docroot/ no accounts are listed any more.....

Today I just received this this email:

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D).
The offending files have been removed and replaced with the OS default.
To be safe you should verify that your system has not been compromised.

Modified Files:
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-diag
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/route
S.?..... /sbin/slattach

0 day Worm outthere ?

 

[mattmattt]

I have the same issue after deleting those core.* files in /usr/local/cpanel/whostmgr/docroot/ no accounts are listed any more.....

Today I just received this this email:

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D).
The offending files have been removed and replaced with the OS default.
To be safe you should verify that your system has not been compromised.

Modified Files:
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-diag
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/route
S.?..... /sbin/slattach

0 day Worm outthere ?

I cannot imagine a linux distro maintainer every using the l33t sp34k word
(OwN3D) in a very very serious email.

A way to determine if the files are backdoored in some way would be
to go find the confirmed good package online and md5sum each binary
against a known good package.

Sometimes md5sums of rpms are not updated and this results. Rarely
but it does happen in the nix world.

 

[jdhf99]

Just wanted to update this. I ended up getting a ticket open through my DC with cPanel. They confirmed it as a bug with the stable branch and they are fixing it in build 26203.

 

[h4f]

Just wanted to update this. I ended up getting a ticket open through my DC with cPanel. They confirmed it as a bug with the stable branch and they are fixing it in build 26203.

When is it going to be released?

Because deleting the core dumps + renaming the dnsadmin-ssl to dnsadmin-old, and download the Beta dnsadmin-ssl binary from
http://httpupdate.cpanel.net/cpanelsync/
under BETA/whostmgr/bin/dnsadmin-ssl.

Is not a solution. I wonder why this issue exist in the stable version, there is a reason that we are using that version.....

 

[cPanelKenneth]

The core dumps are caused by an obscure threading bug in dnsadmin-ssl and will be resolved in all branches. The bug is not limited to the Stable branch.

 

[VeZoZ]

Any ETA on this being pushed out to all branches?

 

[jdhf99]

I'm just updating this thread for other people searching and for history. I opened a ticket with cPanel the other day and they made some temporary changes until this fix is out. These changes messed up named on my server so now it is putting zones outside the view statements plus not adding\removing entries in named.conf when it is adding\removing the actual .db file for the zones.

I've asked my DataCenter to update the cPanel ticket with this info, I hope they come out with a fix soon as this is causing me some huge headaches.

 

[cPanelKenneth]

Any ETA on this being pushed out to all branches?

No ETA. You can disable the use of the dnsadmin-ssl via Tweak Settings until this matter is resolved. Be aware though that means the DNS synchronization will not have the protection of SSL if dnsadmin-ssl is disabled.

 

[payne]

I can't figure out which Tweak Setting has to do with dnsadmin-ssl.

 

[methos]

I have just started getting these core dumps on all of our servers - looking at one of the core dumps it appears to reference cpsrvd-ssl ...

i can't delete the core dumps as fast as they are created again .... is there a way to disable cpsrvd - ssl and what would be the consequences of doing so ...?

also, when can we expect a fix for this in the release branch? this is a huge problem for us .....

 

[mctDarren]

I cannot imagine a linux distro maintainer ever using the l33t sp34k word (OwN3D) in a very very serious email.

For the record, the "OwN3D" comes from a cPanel script that checks for hacks, not from the Linux distro. If you ask me the use of that word only exacerbates the panic that you've been hacked when you receive an email alerting you to the possibility. That script probably could use some updated wording.

 

[BigLebowski]

core.***** files in /usr/local/cpanel/base

hi there

I'm running on a box pushed for space in /usr

There are over 200MB of core files dated March 4th in /usr/local/cpanel/base. Can I safely delete or use /usr/local/cpanel/bin/corecleanup?

Thanks
Dude

 

[SpringChicken]

Have disabled dnsadmin in tweaksettings but processes continue.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20963 root 25 0 15596 10m 5884 R 93 0.5 7:49.09 dnsadmin-ssl
21861 root 25 0 15772 11m 5924 R 90 0.6 5:09.33 dnsadmin-ssl
20849 root 25 0 15604 11m 5936 R 80 0.5 8:09.78 dnsadmin-ssl
20660 root 25 0 15776 11m 5916 R 57 0.6 6:57.44 dnsadmin-ssl
17943 root 25 0 15772 11m 5880 R 48 0.5 10:47.31 dnsadmin-ssl

just want to know how to kill these processes

 

[nickp666]

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20963 root 25 0 15596 10m 5884 R 93 0.5 7:49.09 dnsadmin-ssl
21861 root 25 0 15772 11m 5924 R 90 0.6 5:09.33 dnsadmin-ssl
20849 root 25 0 15604 11m 5936 R 80 0.5 8:09.78 dnsadmin-ssl
20660 root 25 0 15776 11m 5916 R 57 0.6 6:57.44 dnsadmin-ssl
17943 root 25 0 15772 11m 5880 R 48 0.5 10:47.31 dnsadmin-ssl

just want to know how to kill these processes

killall -9 dnsadmin-ssl

 

[Michael-MS]

Is there a solution for this problem yet? I am having the same issue on one server. Core files are building up and dnsadmin-ssl processes are crashing the server with too much load.

Michael

 

[cPanelKenneth]

Is there a solution for this problem yet? I am having the same issue on one server. Core files are building up and dnsadmin-ssl processes are crashing the server with too much load.

Michael

If:

1. This is happening on a non-DNSOnly server; and
2. You are already running 11.23.4-STABLE-26138 on all non-DNSOnly cPanel servers; and
3. Are comfortable upgrading your servers to CURRENT; then
4. Upgrade all servers to 11.23.6-CURRENT-27087

We identified another scenario that could cause such behavior and fixed it in CURRENT and EDGE builds 27007 and higher.