The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF or Linux problem? Excessive resource usage: rpc - Help-me please.

Discussion in 'Security' started by fcbinfo, Dec 14, 2011.

  1. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm not a linux expert. And I have no idea what is happening.
    Please someone help me with this. I'm getting this 2 emails every hour with the following messages:

    Email 1

    Subject:
    Code:
    lfd on srv01.mydomain.com: Excessive resource usage: rpc (1557)
    
    message:

    Code:
    Time:         Wed Dec 14 09:01:40 2011 -0200
    Account:      rpc
    Resource:     Process Time
    Exceeded:     48391 > 1800 (seconds)
    Executable:   /sbin/rpcbind
    Command Line: rpcbind
    PID:          1557
    Killed:       No
    
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

    email 2 (at same time):

    Code:
    Subject: lfd on srv01.mydomain.com: Suspicious process running under user rpc
    
    Message:

    Code:
    Time:    Wed Dec 14 09:01:40 2011 -0200
    PID:     1557
    Account: rpc
    Uptime:  48391 seconds
    
    
    Executable:
    
    /sbin/rpcbind
    
    
    Command Line (often faked in exploits):
    
    rpcbind
    
    
    Network connections by the process (if any):
    
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:884 -> 0.0.0.0:0
    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:884 -> 0.0.0.0:0
    tcp6: 0.0.0.0:111 -> 0.0.0.0:0
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /var/run/rpcbind.lock
    
    
    Memory maps by the process (if any):
    
    7f86f1b72000-7f86f1b7e000 r-xp 00000000 08:01 9699357                    /lib64/libnss_files-2.12.so
    7f86f1b7e000-7f86f1d7e000 ---p 0000c000 08:01 9699357                    /lib64/libnss_files-2.12.so
    7f86f1d7e000-7f86f1d7f000 r--p 0000c000 08:01 9699357                    /lib64/libnss_files-2.12.so
    7f86f1d7f000-7f86f1d80000 rw-p 0000d000 08:01 9699357                    /lib64/libnss_files-2.12.so
    7f86f1d80000-7f86f1d82000 r-xp 00000000 08:01 9699347                    /lib64/libdl-2.12.so
    7f86f1d82000-7f86f1f82000 ---p 00002000 08:01 9699347                    /lib64/libdl-2.12.so
    7f86f1f82000-7f86f1f83000 r--p 00002000 08:01 9699347                    /lib64/libdl-2.12.so
    7f86f1f83000-7f86f1f84000 rw-p 00003000 08:01 9699347                    /lib64/libdl-2.12.so
    7f86f1f84000-7f86f1f8d000 r-xp 00000000 08:01 9699636                    /lib64/libgssglue.so.1.0.0
    7f86f1f8d000-7f86f218c000 ---p 00009000 08:01 9699636                    /lib64/libgssglue.so.1.0.0
    7f86f218c000-7f86f218d000 rw-p 00008000 08:01 9699636                    /lib64/libgssglue.so.1.0.0
    7f86f218d000-7f86f21a3000 r-xp 00000000 08:01 9699351                    /lib64/libnsl-2.12.so
    7f86f21a3000-7f86f23a2000 ---p 00016000 08:01 9699351                    /lib64/libnsl-2.12.so
    7f86f23a2000-7f86f23a3000 r--p 00015000 08:01 9699351                    /lib64/libnsl-2.12.so
    7f86f23a3000-7f86f23a4000 rw-p 00016000 08:01 9699351                    /lib64/libnsl-2.12.so
    7f86f23a4000-7f86f23a6000 rw-p 00000000 00:00 0 
    7f86f23a6000-7f86f252c000 r-xp 00000000 08:01 9699341                    /lib64/libc-2.12.so
    7f86f252c000-7f86f272b000 ---p 00186000 08:01 9699341                    /lib64/libc-2.12.so
    7f86f272b000-7f86f272f000 r--p 00185000 08:01 9699341                    /lib64/libc-2.12.so
    7f86f272f000-7f86f2730000 rw-p 00189000 08:01 9699341                    /lib64/libc-2.12.so
    7f86f2730000-7f86f2735000 rw-p 00000000 00:00 0 
    7f86f2735000-7f86f274c000 r-xp 00000000 08:01 9699365                    /lib64/libpthread-2.12.so
    7f86f274c000-7f86f294b000 ---p 00017000 08:01 9699365                    /lib64/libpthread-2.12.so
    7f86f294b000-7f86f294c000 r--p 00016000 08:01 9699365                    /lib64/libpthread-2.12.so
    7f86f294c000-7f86f294d000 rw-p 00017000 08:01 9699365                    /lib64/libpthread-2.12.so
    7f86f294d000-7f86f2951000 rw-p 00000000 00:00 0 
    7f86f2951000-7f86f2977000 r-xp 00000000 08:01 9699638                    /lib64/libtirpc.so.1.0.10
    7f86f2977000-7f86f2b76000 ---p 00026000 08:01 9699638                    /lib64/libtirpc.so.1.0.10
    7f86f2b76000-7f86f2b78000 rw-p 00025000 08:01 9699638                    /lib64/libtirpc.so.1.0.10
    7f86f2b78000-7f86f2b80000 r-xp 00000000 08:01 9699432                    /lib64/libwrap.so.0.7.6
    7f86f2b80000-7f86f2d80000 ---p 00008000 08:01 9699432                    /lib64/libwrap.so.0.7.6
    7f86f2d80000-7f86f2d81000 rw-p 00008000 08:01 9699432                    /lib64/libwrap.so.0.7.6
    7f86f2d81000-7f86f2d82000 rw-p 00000000 00:00 0 
    7f86f2d82000-7f86f2da2000 r-xp 00000000 08:01 9699713                    /lib64/ld-2.12.so
    7f86f2f92000-7f86f2f97000 rw-p 00000000 00:00 0 
    7f86f2fa0000-7f86f2fa1000 rw-p 00000000 00:00 0 
    7f86f2fa1000-7f86f2fa2000 r--p 0001f000 08:01 9699713                    /lib64/ld-2.12.so
    7f86f2fa2000-7f86f2fa3000 rw-p 00020000 08:01 9699713                    /lib64/ld-2.12.so
    7f86f2fa3000-7f86f2fa4000 rw-p 00000000 00:00 0 
    7f86f2fa4000-7f86f2fb1000 r-xp 00000000 08:01 3407942                    /sbin/rpcbind
    7f86f31b0000-7f86f31b1000 rw-p 0000c000 08:01 3407942                    /sbin/rpcbind
    7f86f31b1000-7f86f31b2000 rw-p 00000000 00:00 0 
    7f86f4d7e000-7f86f4d9f000 rw-p 00000000 00:00 0                          [heap]
    7fff20799000-7fff207ae000 rw-p 00000000 00:00 0                          [stack]
    7fff207ff000-7fff20800000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    
    And this line.. at every email this Exceeded value has increased

    Exceeded: 48391 > 1800 (seconds)
     
  2. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Im still reciving this message.

    Its better to open a cpanel support ticket?
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  4. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Well... that no help!
     
  5. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have reinstaled the rcpbind... and still getting the message every hour.
     
  6. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    Hi

    Do you have exim? Please tail the server(/var/log/messages) and email logs and paste some here to get a better idea about the problem. Second thing did you completely remove/un-install the rpcbind before the re-installation?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Not... i just run yum reinstall rpcbind and on yum repository i have ignored default mirror to get from another mirror.

    Ill try to uninstall and install again.

    Thanks for try to help... ill post results here.
     
  9. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator

    Faisikhan, now i have completely remove/uninstall the rpcbind and have reinsteled.

    I did this to more than one hour ago, and so far the email has not sended. I believe that to completely remove and reinstall solved the problem.

    If I did not post anything else, means that it really worked.

    Thank you for your help.
     
  10. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    i dont think this is an issue since csf is alerting that the process has Exceeded: 48391 > 1800 (seconds) uptime. csf is reporting with emails the PID so you can investigate further. It's also not a bug in csf as it simply gets the information from the /proc entry for the PID and if there's nothing there then either the OS isn't reporting it or the PID has died in the meantime.
    you can disable email alert from csf but i wouldnt suggest that. Csf needs an active email account so you will monitor the server
     
  11. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If you need that rpcbind running you should add this line in /etc/csf/csf.pignore

    exe:/sbin/rpcbind

    and then restart csf&lfd
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    For this previous post:

    Please note that this would not be a cPanel issue for ticket submission. CSF and LFD are third party products, which we do not provide support on our ticketing system. ConfigServer support channels would be what should be used for questions on their alerts:

    Way to the Web Technical Support

    I wanted to mention this because we simply have to send people to their support when they open up a ticket with us, since we do not provide that product.

    Thanks!
     
  13. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    its better to use their forum since configserver is not support else the free products
    only at the forum
     
  14. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    No problem fcbinfo,

    Actually I suggested you for the complete removal as not doing that can cause a conflict between the older & the newer installation causing the same issue that we were facing before the re-installation. I hope you won't get that problem in the future :)
     
  15. fcbinfo

    fcbinfo Well-Known Member

    Joined:
    Dec 10, 2006
    Messages:
    120
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Faisikhan...

    The problem was solved with the full uninstall and installing again. Since this day no longer receive emails. Now, one month later I receive. It was only a restart on the server and getting emails again.

    I have 3 servers with cpanel... only this server show this message.


    Lol, that's a shame but... i dont know for what rpcbind is needed.

    With this config... csf will ignore this proccess but... I need to know if this process is normal or if this is something I'll have problems in the future.

    I will try now to find "for what rpcbind" is needed on cpanel server. =)
     
Loading...

Share This Page