cPanel process trying to contact digital ocean server every hour?

[tss]

I'm logging failures in messages.log:

Apr 19 03:40:01 * kernel: [8037514.324554] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64659 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:02 * kernel: [8037515.324066] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64660 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:06 * kernel: [8037519.351180] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35930 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 03:40:07 * kernel: [8037520.351071] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35931 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513

Apr 19 15:40:02 * kernel: [8080715.174015] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16265 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:03 * kernel: [8080716.176061] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16266 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:07 * kernel: [8080720.395095] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64397 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513
Apr 19 15:40:08 * kernel: [8080721.395103] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64398 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513

UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell

Looks like a cron job calling that IP, but it's not listed in .HttpRequest:

NetRange: 67.207.64.0 - 67.207.95.255
CIDR: 67.207.64.0/19
NetName: DIGITALOCEAN-67-207-64-0

I have that netrange blocked because of repeated intrusion attempts from many, many different IPs on that range of Digital Ocean.
Anyone have any idea what this might be? Legitimate or not?

 

[cPanelLauren]

Hello,

I"m unsure why your server would be attempting to reach that IP address. It's not something associated with cPanel but it is clearly attempting to connect over port 443 "DPT=443"

What's the GID 513 associated with? cPanel's UID and GID are usually the same.

Any groups the cpanel user belongs to you should be able to get with:

id cpanel

 

[tss]

Lauren:

Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course). It took hours of digging to find it was an RSS aggregator from a web site being updated hourly - or not being updated in this case. The crazy part was that while watching htop at the appointed time, that /var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell process showed up. I guess the php process handling the RSS feed wouldn't show up as anything other than an httpd or mysqld process, where the user that calls the process is hidden in that htop display. I can't see the entire command anyway; if it was there it was off the screen.

 

[LucasRolff]

Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course).

No, you're simply reading it wrong, there's no users in the system that has same UID.

Look at your output again:

UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell

cpanel user has UID 32001 and GID 502.

Let's break down your line:

cpanel # username
x # indicates password is stored in /etc/shadow
32001 # UID
502 # GID
EMPTY # user ID Info
/var/cpanel/userhomes/cpanel # Homedir
/usr/local/cpanel/bin/noshell # command/shell

 

[cPanelLauren]

If you know the exact time this occurs what about the cron log? If you haven't checked that yet you might find it at /var/log/cron.log

 

[tss]

Thanks. As I've already mentioned above, I did figure out what was going on. Yes, originally I did confuse cPanel's GID (502) with the another user's UID (502). Part of that issue was not being able to see the complete command happening in htop. However, I also discovered that there's no guarantee that multiple users can't have the same UID - in fact they can and in certain situations do. Lots of discussion of that on serverfault.

I did check cron, but the connection attempt wasn't made directly by a cron job but rather by a php function in a CMS. In any case, the issue is solved. Thanks again for your help.

 

[cPanelLauren]

Ahh, that makes sense, I am sorry I missed the part where you'd indicated you'd found the solution. I'm glad to hear it and I'm glad the issue is resolved for you.