cPanel process trying to contact digital ocean server every hour?

Operating System & Version
CENTOS 6.10
cPanel & WHM Version
v86.0.18

tss

Member
Aug 22, 2011
13
3
53
I'm logging failures in messages.log:

Apr 19 03:40:01 * kernel: [8037514.324554] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64659 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:02 * kernel: [8037515.324066] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64660 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:06 * kernel: [8037519.351180] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35930 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:07 * kernel: [8037520.351071] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35931 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513

Apr 19 15:40:02 * kernel: [8080715.174015] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16265 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:03 * kernel: [8080716.176061] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16266 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:07 * kernel: [8080720.395095] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64397 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:08 * kernel: [8080721.395103] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64398 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513

UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell

Looks like a cron job calling that IP, but it's not listed in .HttpRequest:

NetRange: 67.207.64.0 - 67.207.95.255
CIDR: 67.207.64.0/19
NetName: DIGITALOCEAN-67-207-64-0

I have that netrange blocked because of repeated intrusion attempts from many, many different IPs on that range of Digital Ocean.
Anyone have any idea what this might be? Legitimate or not?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,257
313
Houston
Hello,

I"m unsure why your server would be attempting to reach that IP address. It's not something associated with cPanel but it is clearly attempting to connect over port 443 "DPT=443"

What's the GID 513 associated with? cPanel's UID and GID are usually the same.

Any groups the cpanel user belongs to you should be able to get with:
Code:
id cpanel
 

tss

Member
Aug 22, 2011
13
3
53
Lauren:

Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course). It took hours of digging to find it was an RSS aggregator from a web site being updated hourly - or not being updated in this case. The crazy part was that while watching htop at the appointed time, that /var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell process showed up. I guess the php process handling the RSS feed wouldn't show up as anything other than an httpd or mysqld process, where the user that calls the process is hidden in that htop display. I can't see the entire command anyway; if it was there it was off the screen.
 
Last edited:
  • Like
Reactions: cPanelLauren

LucasRolff

Well-Known Member
Community Guide Contributor
May 27, 2013
141
85
78
cPanel Access Level
Root Administrator
Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course).
No, you're simply reading it wrong, there's no users in the system that has same UID.

Look at your output again:
tss said:
UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell
cpanel user has UID 32001 and GID 502.

Let's break down your line:

Code:
cpanel # username
x # indicates password is stored in /etc/shadow
32001 # UID
502 # GID
EMPTY # user ID Info
/var/cpanel/userhomes/cpanel # Homedir
/usr/local/cpanel/bin/noshell # command/shell
 

tss

Member
Aug 22, 2011
13
3
53
Thanks. As I've already mentioned above, I did figure out what was going on. Yes, originally I did confuse cPanel's GID (502) with the another user's UID (502). Part of that issue was not being able to see the complete command happening in htop. However, I also discovered that there's no guarantee that multiple users can't have the same UID - in fact they can and in certain situations do. Lots of discussion of that on serverfault.

I did check cron, but the connection attempt wasn't made directly by a cron job but rather by a php function in a CMS. In any case, the issue is solved. Thanks again for your help.
 
  • Like
Reactions: cPanelLauren