Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpaneleximscanner

Discussion in 'Security' started by Paulo Prado, Jan 26, 2017.

Tags:
  1. Paulo Prado

    Paulo Prado Member

    Joined:
    Dec 18, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil - Sao Paulo
    cPanel Access Level:
    Reseller Owner
    Hi,

    I have a client account that was experiencing problems on a server. I took this account and transferred it to a VPS to analyze the behavior of the account. After that I started receiving alerts ... (see below)

    ----------------------------------
    Email subject:
    lfd on "my.domainxxxxxserver": Suspicious process running under user cpaneleximscanner


    Message email:
    ==========
    Time: Thu Jan 26 13:26:49 2017 -0200
    Account: cpaneleximscanner
    Resource: Virtual Memory Size
    Exceeded: 231 > 200 (MB)
    Executable: /usr/local/cpanel/3rdparty/perl/522/bin/perl
    Command Line: spamd child
    PID: 31303 (Parent PID:14540)
    Killed: No


    What could be happening?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's likely that's a false positive from your CSF/LFD application. "cpaneleximscanner" is a normal user on the system as part of SpamAssassin.

    Thank you.
     
  3. Paulo Prado

    Paulo Prado Member

    Joined:
    Dec 18, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil - Sao Paulo
    cPanel Access Level:
    Reseller Owner
    Hi Michael, but how can I be sure it's a "false positive"? Because this account was giving trouble on the other server and it's giving in this too.

    Thank you.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to review /var/log/exim_mainlog to see if the account is sending out SPAM and thus increasing the SpamAssassin CPU usage as it scans outgoing email for SPAM.

    Thank you.
     
  5. Paulo Prado

    Paulo Prado Member

    Joined:
    Dec 18, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil - Sao Paulo
    cPanel Access Level:
    Reseller Owner
    Hi, Michael. Looks like they're trying to send spam. How to fix this problem? This happened after installing this account. Did it infect the entire server? See the / var / log / exim_mainlog below ...

    ================

    Displaying the last 30 lines of /var/log/exim_mainlog...

    [Removed - Please ensure real domain names and IP addresses are excluded from the log output]

    ...Done.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Paulo Prado likes this.
  7. Paulo Prado

    Paulo Prado Member

    Joined:
    Dec 18, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Brasil - Sao Paulo
    cPanel Access Level:
    Reseller Owner
    Michael, thanks for the help and the totorial

    Thanks :D
     
  8. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,488
    Likes Received:
    60
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    If any account is involved in spamming activity, you can find the details in the exim_mainlog file where you can search relevant entries like public_html to display the activity, if any, from the accounts. This will also point you the directory from where this activity is being performed, so you can look into the directory and check what is actually triggering this.
     

Share This Page