Aug 12, 2009
I'm running CSF + LFD and I've been getting the following message since around the 24 of October (see below).

I've gone through and checked the cPanel update logs (sent via email) however don't see any updates that have come through for the cpanellogd service.

Should I be concerned or just restart the service and be done with it? My only concern is the fact that I don't see any updates made for this service.

Also what's the best way to restart this service. There isn't an entry in WHM and I'm thinking it needs to be restarted via a script with SSH access ?


Time:    Fri Oct 23 16:55:25 2009 +1100
PID:     16797
Account: <AccntName>
Uptime:  65 seconds


/usr/bin/perl\00#prelink#.agVWAa (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.

Command Line (often faked in exploits):

cpanellogd - http logs for <AccntName>

Network connections by the process (if any):

Files open by the process (if any):


Memory maps by the process (if any):

0022c000-00246000 r-xp 00000000 fd:00 6455360    /lib/
00246000-00247000 r-xp 00019000 fd:00 6455360    /lib/
00247000-00248000 rwxp 0001a000 fd:00 6455360    /lib/
0024a000-0024c000 r-xp 00000000 fd:00 6459054    /lib/
0024c000-0024d000 r-xp 00001000 fd:00 6459054    /lib/
0024d000-0024e000 rwxp 00002000 fd:00 6459054    /lib/
00250000-00263000 r-xp 00000000 fd:00 6459053    /lib/
00263000-00264000 r-xp 00012000 fd:00 6459053    /lib/
00264000-00265000 rwxp 00013000 fd:00 6459053    /lib/
00265000-00267000 rwxp 00265000 00:00 0
00269000-0028e000 r-xp 00000000 fd:00 6455505    /lib/
0028e000-0028f000 r-xp 00024000 fd:00 6455505    /lib/
0028f000-00290000 rwxp 00025000 fd:00 6455505    /lib/
00314000-00327000 r-xp 00000000 fd:00 6457535    /lib/
00327000-00328000 r-xp 00012000 fd:00 6457535    /lib/
00328000-00329000 rwxp 00013000 fd:00 6457535    /lib/
00329000-0032b000 rwxp 00329000 00:00 0
00339000-00477000 r-xp 00000000 fd:00 6455503    /lib/
00477000-00479000 r-xp 0013e000 fd:00 6455503    /lib/
00479000-0047a000 rwxp 00140000 fd:00 6455503    /lib/
0047a000-0047d000 rwxp 0047a000 00:00 0
0047f000-00488000 r-xp 00000000 fd:00 6459062    /lib/
00488000-00489000 r-xp 00008000 fd:00 6459062    /lib/
00489000-0048a000 rwxp 00009000 fd:00 6459062    /lib/
0048a000-004b1000 rwxp 0048a000 00:00 0
00553000-00562000 r-xp 00000000 fd:00 6459069    /lib/
00562000-00563000 r-xp 0000e000 fd:00 6459069    /lib/
00563000-00564000 rwxp 0000f000 fd:00 6459069    /lib/
00564000-00566000 rwxp 00564000 00:00 0
005a6000-005ab000 r-xp 00000000 fd:00 11583907   /usr/lib/
005ab000-005ac000 rwxp 00004000 fd:00 11583907   /usr/lib/
005ae000-005d3000 r-xp 00000000 fd:00 11588461   /usr/lib/
005d3000-005d4000 rwxp 00024000 fd:00 11588461   /usr/lib/
005e8000-006e7000 r-xp 00000000 fd:00 11583908   /usr/lib/
006e7000-006eb000 rwxp 000ff000 fd:00 11583908   /usr/lib/
0073d000-00869000 r-xp 00000000 fd:00 11581734   /usr/lib/
00869000-0086e000 rwxp 0012c000 fd:00 11581734   /usr/lib/
0086e000-0086f000 rwxp 0086e000 00:00 0
00bc6000-00bc8000 r-xp 00000000 fd:00 6459225    /lib/
00bc8000-00bc9000 r-xp 00001000 fd:00 6459225    /lib/
00bc9000-00bca000 rwxp 00002000 fd:00 6459225    /lib/
00bcc000-00cf7000 r-xp 00000000 fd:00 11665879   /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/
00cf7000-00cfc000 rwxp 0012a000 fd:00 11665879   /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/
00cfc000-00cfe000 rwxp 00cfc000 00:00 0
00d3e000-00d54000 r-xp 00000000 fd:00 6456142    /lib/
00d54000-00d56000 rwxp 00015000 fd:00 6456142    /lib/
00d58000-00d6a000 r-xp 00000000 fd:00 11579817   /usr/lib/
00d6a000-00d6b000 rwxp 00011000 fd:00 11579817   /usr/lib/
00d6d000-00da8000 r-xp 00000000 fd:00 6455553    /lib/
00da8000-00da9000 rwxp 0003b000 fd:00 6455553    /lib/
00da9000-00db3000 rwxp 00da9000 00:00 0
00df9000-00dfb000 r-xp 00000000 fd:00 11575224   /usr/lib/
00dfb000-00dfc000 rwxp 00001000 fd:00 11575224   /usr/lib/
08048000-0804b000 r-xp 00000000 fd:00 11575961   /usr/bin/perl
0804b000-0804c000 rwxp 00002000 fd:00 11575961   /usr/bin/perl
09f39000-0a7e7000 rwxp 09f39000 00:00 0          [heap]


cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
This will do the trick :

killall -9 cpanellogd;/usr/local/cpanel/cpanellogd
Via root SSH access, here is a safe method to stop and restart cpanellogd:
# /scripts/restartsrv_cpanellogd --stop
# /scripts/restartsrv_cpanellogd


cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
The same trouble occured with my servers.

If I don't need Statistics, can I turn off cpanellogd to solve this trouble??
It will not help to disable cpanellogd. The message received via e-mail from CSF/LFD running on the server is related to normal behavior of other software that came with the operating system; this is unrelated to cpanellogd. The details appear normal on a system with the software package "prelink" installed and where the daily cron job for "prelink" runs as scheduled.

I would consider revising the exclude list(s) in your CSF/LFD software configuration; here is the path to at least one of the relevant configuration files for CSF that will help:
For in-depth assistance with CSF, I recommend referring to the vendor's official web site and their available support channels: