In Progress CPANEL-40720 - Continuous mails about deleted freshclam.

Operating System & Version
Centos 7.9.2009
cPanel & WHM Version
11.102.0

rhm.geerts

Well-Known Member
Jul 29, 2008
165
19
68
Maastricht
cPanel Access Level
Root Administrator
Today I got repeated mails from CSF about Freshclam:

Code:
Time:    Thu May 26 20:24:47 2022 +0200
PID:     9680 (Parent PID:9679)
Account: clamav
Uptime:  575270 seconds


Executable:

/usr/local/cpanel/3rdparty/bin/freshclam;628eddb4 (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
And they keep coming.

This is odd, because freshclam was already present in the csf.pignore file.

I added two lines with a asterisk so now it looks like this:
Code:
exe:/usr/local/cpanel/3rdparty/bin/freshclam
pexe:/usr/local/cpanel/3rdparty/bin/freshclam*
pcmd:/usr/local/cpanel/3rdparty/bin/freshclam*
and again restarted csf and LFD but still I got another mail as you can see above.

Normally csf.pignore is working, but I don't understand as to why since today, this is happening. Normally restarting CSF/LFD should be enough.

Anybody else experiencing this or has a clue on how to fix this without disabling the pt_deleted option of CSF?

P.s. Why is the WHM version not directly visible anymore now when logging in to WH? I really don't like that new interface.
In the tab it says 102.0.17 and with the root command it says 11.102.0. So what's the 102.0.17 in the browser tab for then?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,432
1,635
363
cPanel Access Level
Root Administrator
Hey there! Can you let me know what you mean by "the root command" in regards to the cPanel version?

As far as the clamd issues, the only thing I can recommend on my end would be to restart the service with the "/scripts/restartsrv_clamd" command. If the issues are still happening after that, you'd want to bring up this issue to CSF directly at Technical Support
 
  • Like
Reactions: rhm.geerts

rhm.geerts

Well-Known Member
Jul 29, 2008
165
19
68
Maastricht
cPanel Access Level
Root Administrator
Hey there! Can you let me know what you mean by "the root command" in regards to the cPanel version?
Ofcourse, it's linked to when you create a new thread in the "more info", it says "how to find your cpanel version" and it's this command:
Code:
/usr/local/cpanel/bin/whmapi1 installed_versions packages=0 |egrep 'operating_system_name|operating_system_version|cpanel_and_whm'
I liked it a lot more how it was dispalyed in the previous layout, much more clear and obvious.

Ahh... it's the clamd service. Indeed that's an option. I'll restart that and then see if the issue dissappears.
 

rhm.geerts

Well-Known Member
Jul 29, 2008
165
19
68
Maastricht
cPanel Access Level
Root Administrator
Thank you. Seens the clamd restart did not work, got another mail and now this one too:

Time: Thu May 26 22:24:57 2022 +0200
PID: 9680 (Parent PID:9679)
Account: clamav
Uptime: 582480 seconds <---- does not correspond with the "/scripts/restartsrv_clamd" command I did, right?

So it seems freshclam did not restart, which could also explain the CSF/LFD issue:

Code:
clamav    9680  0.0  0.1 248076 52436 ?        Ss   May20   0:22  |   \_ /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
clamav   23734  0.0  0.0 201512  6072 ?        Ss   04:37   0:02      \_ /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
May 20?