SOLVED CPANEL-40720 - Continuous mails about deleted freshclam.

[rhm.geerts]

Today I got repeated mails from CSF about Freshclam:

Time:    Thu May 26 20:24:47 2022 +0200
PID:     9680 (Parent PID:9679)
Account: clamav
Uptime:  575270 seconds


Executable:

/usr/local/cpanel/3rdparty/bin/freshclam;628eddb4 (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

And they keep coming.

This is odd, because freshclam was already present in the csf.pignore file.

I added two lines with a asterisk so now it looks like this:

exe:/usr/local/cpanel/3rdparty/bin/freshclam
pexe:/usr/local/cpanel/3rdparty/bin/freshclam*
pcmd:/usr/local/cpanel/3rdparty/bin/freshclam*

and again restarted csf and LFD but still I got another mail as you can see above.

Normally csf.pignore is working, but I don't understand as to why since today, this is happening. Normally restarting CSF/LFD should be enough.

Anybody else experiencing this or has a clue on how to fix this without disabling the pt_deleted option of CSF?

P.s. Why is the WHM version not directly visible anymore now when logging in to WH? I really don't like that new interface.
In the tab it says 102.0.17 and with the root command it says 11.102.0. So what's the 102.0.17 in the browser tab for then?

 

[cPRex]

Hey there! Can you let me know what you mean by "the root command" in regards to the cPanel version?

As far as the clamd issues, the only thing I can recommend on my end would be to restart the service with the "/scripts/restartsrv_clamd" command. If the issues are still happening after that, you'd want to bring up this issue to CSF directly at Technical Support

 

[rhm.geerts]

Hey there! Can you let me know what you mean by "the root command" in regards to the cPanel version?

Ofcourse, it's linked to when you create a new thread in the "more info", it says "how to find your cpanel version" and it's this command:

/usr/local/cpanel/bin/whmapi1 installed_versions packages=0 |egrep 'operating_system_name|operating_system_version|cpanel_and_whm'

I liked it a lot more how it was dispalyed in the previous layout, much more clear and obvious.

Ahh... it's the clamd service. Indeed that's an option. I'll restart that and then see if the issue dissappears.

 

[cPRex]

Thanks for that information - I do see the API call isn't showing the entire cPanel version so I've created case CPANEL-40720 with our developers so they can look into that. I'll be sure to post an update here once I have more details.

 

[rhm.geerts]

Thank you. Seens the clamd restart did not work, got another mail and now this one too:

Time: Thu May 26 22:24:57 2022 +0200
PID: 9680 (Parent PID:9679)
Account: clamav
Uptime: 582480 seconds <---- does not correspond with the "/scripts/restartsrv_clamd" command I did, right?

So it seems freshclam did not restart, which could also explain the CSF/LFD issue:

clamav    9680  0.0  0.1 248076 52436 ?        Ss   May20   0:22  |   \_ /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
clamav   23734  0.0  0.0 201512  6072 ?        Ss   04:37   0:02      \_ /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

May 20?

 

[cPRex]

You could always kill that old process and restart again. Killing a freshclam won't hurt anything.

 

[rhm.geerts]

I have to reboot in a couple of hours anyway so probably that will fix things anyway.

Thank you cPRex!

 

[cPRex]

Update - this is scheduled to be resolved in version 106 when that is released to the public.

 

[cPRex]

Update - case CPANEL-40720 is also going to be applied to 104.0.7 when that is released.

 

[cPRex]

Update - the whmapi command fix has been backported to 102, so this is also resolved in version 102.0.20 once that is released.