jdhf99

Well-Known Member
Mar 16, 2004
54
0
156
Two servers of mine that I have upgraded to the latest stable build yesterday now produce core files constantly in the /usr/local/cpanel/whostmgr/docroot folder until my /usr partition is full.

Something with the upgrade caused this as I have not had a problem with it previous and it's only on the 2 servers I upgraded last night. How can I find out what is wrong?

Thanks.
 

jdhf99

Well-Known Member
Mar 16, 2004
54
0
156
I did search, this has nothing to do with PHP files.

I'm pretty sure it has to do with named\bind but I don't understand what the cPanel update would have done to cause this. It is definitely from that as I updated on just 2 of my 8 servers and those 2 immediately started seeing the same issue.
 

h4f

Well-Known Member
Jun 5, 2007
67
1
156
I did search, this has nothing to do with PHP files.

I'm pretty sure it has to do with named\bind but I don't understand what the cPanel update would have done to cause this. It is definitely from that as I updated on just 2 of my 8 servers and those 2 immediately started seeing the same issue.
I have the same issue after deleting those core.* files in /usr/local/cpanel/whostmgr/docroot/ no accounts are listed any more.....

Today I just received this this email:

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D).
The offending files have been removed and replaced with the OS default.
To be safe you should verify that your system has not been compromised.

Modified Files:
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-diag
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/route
S.?..... /sbin/slattach

0 day Worm outthere ?
 

mattmattt

Member
Aug 25, 2004
9
0
151
I have the same issue after deleting those core.* files in /usr/local/cpanel/whostmgr/docroot/ no accounts are listed any more.....

Today I just received this this email:

IMPORTANT: Do not ignore this email.
This message is to inform you that the rpm package net-tools did not match the expected checksum. This could mean that your system was compromised (OwN3D).
The offending files have been removed and replaced with the OS default.
To be safe you should verify that your system has not been compromised.

Modified Files:
S.?..... /bin/netstat
S.?..... /sbin/arp
S.?..... /sbin/ether-wake
S.?..... /sbin/ifconfig
S.?..... /sbin/ipmaddr
S.?..... /sbin/iptunnel
S.?..... /sbin/mii-diag
S.?..... /sbin/mii-tool
S.?..... /sbin/nameif
S.?..... /sbin/netplugd
S.?..... /sbin/route
S.?..... /sbin/slattach

0 day Worm outthere ?
I cannot imagine a linux distro maintainer every using the l33t sp34k word
(OwN3D) in a very very serious email.

A way to determine if the files are backdoored in some way would be
to go find the confirmed good package online and md5sum each binary
against a known good package.

Sometimes md5sums of rpms are not updated and this results. Rarely
but it does happen in the nix world.
 

jdhf99

Well-Known Member
Mar 16, 2004
54
0
156
Just wanted to update this. I ended up getting a ticket open through my DC with cPanel. They confirmed it as a bug with the stable branch and they are fixing it in build 26203.
 

h4f

Well-Known Member
Jun 5, 2007
67
1
156
Just wanted to update this. I ended up getting a ticket open through my DC with cPanel. They confirmed it as a bug with the stable branch and they are fixing it in build 26203.
When is it going to be released?

Because deleting the core dumps + renaming the dnsadmin-ssl to dnsadmin-old, and download the Beta dnsadmin-ssl binary from
http://httpupdate.cpanel.net/cpanelsync/
under BETA/whostmgr/bin/dnsadmin-ssl.

Is not a solution. I wonder why this issue exist in the stable version, there is a reason that we are using that version.....
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
The core dumps are caused by an obscure threading bug in dnsadmin-ssl and will be resolved in all branches. The bug is not limited to the Stable branch.
 

jdhf99

Well-Known Member
Mar 16, 2004
54
0
156
I'm just updating this thread for other people searching and for history. I opened a ticket with cPanel the other day and they made some temporary changes until this fix is out. These changes messed up named on my server so now it is putting zones outside the view statements plus not adding\removing entries in named.conf when it is adding\removing the actual .db file for the zones.

I've asked my DataCenter to update the cPanel ticket with this info, I hope they come out with a fix soon as this is causing me some huge headaches.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Any ETA on this being pushed out to all branches?
No ETA. You can disable the use of the dnsadmin-ssl via Tweak Settings until this matter is resolved. Be aware though that means the DNS synchronization will not have the protection of SSL if dnsadmin-ssl is disabled.
 

methos

Member
Sep 25, 2007
20
0
51
I have just started getting these core dumps on all of our servers - looking at one of the core dumps it appears to reference cpsrvd-ssl ...

i can't delete the core dumps as fast as they are created again .... is there a way to disable cpsrvd - ssl and what would be the consequences of doing so ...?

also, when can we expect a fix for this in the release branch? this is a huge problem for us .....
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
I cannot imagine a linux distro maintainer ever using the l33t sp34k word (OwN3D) in a very very serious email.
For the record, the "OwN3D" comes from a cPanel script that checks for hacks, not from the Linux distro. If you ask me the use of that word only exacerbates the panic that you've been hacked when you receive an email alerting you to the possibility. That script probably could use some updated wording.
 

BigLebowski

Well-Known Member
Dec 24, 2007
75
0
56
core.***** files in /usr/local/cpanel/base

hi there

I'm running on a box pushed for space in /usr

There are over 200MB of core files dated March 4th in /usr/local/cpanel/base. Can I safely delete or use /usr/local/cpanel/bin/corecleanup?

Thanks
Dude
 

SpringChicken

Member
Dec 16, 2003
18
0
151
Have disabled dnsadmin in tweaksettings but processes continue.

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20963 root 25 0 15596 10m 5884 R 93 0.5 7:49.09 dnsadmin-ssl
21861 root 25 0 15772 11m 5924 R 90 0.6 5:09.33 dnsadmin-ssl
20849 root 25 0 15604 11m 5936 R 80 0.5 8:09.78 dnsadmin-ssl
20660 root 25 0 15776 11m 5916 R 57 0.6 6:57.44 dnsadmin-ssl
17943 root 25 0 15772 11m 5880 R 48 0.5 10:47.31 dnsadmin-ssl

just want to know how to kill these processes
 

nickp666

Well-Known Member
Jan 28, 2005
769
2
168
/dev/null
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
20963 root 25 0 15596 10m 5884 R 93 0.5 7:49.09 dnsadmin-ssl
21861 root 25 0 15772 11m 5924 R 90 0.6 5:09.33 dnsadmin-ssl
20849 root 25 0 15604 11m 5936 R 80 0.5 8:09.78 dnsadmin-ssl
20660 root 25 0 15776 11m 5916 R 57 0.6 6:57.44 dnsadmin-ssl
17943 root 25 0 15772 11m 5880 R 48 0.5 10:47.31 dnsadmin-ssl

just want to know how to kill these processes
killall -9 dnsadmin-ssl
 

Michael-MS

Well-Known Member
Apr 16, 2003
144
0
166
Is there a solution for this problem yet? I am having the same issue on one server. Core files are building up and dnsadmin-ssl processes are crashing the server with too much load.

Michael
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Is there a solution for this problem yet? I am having the same issue on one server. Core files are building up and dnsadmin-ssl processes are crashing the server with too much load.

Michael
If:

1. This is happening on a non-DNSOnly server; and
2. You are already running 11.23.4-STABLE-26138 on all non-DNSOnly cPanel servers; and
3. Are comfortable upgrading your servers to CURRENT; then
4. Upgrade all servers to 11.23.6-CURRENT-27087

We identified another scenario that could cause such behavior and fixed it in CURRENT and EDGE builds 27007 and higher.