The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Excessive resource usage: admin

Discussion in 'Security' started by chrisweb, Nov 19, 2015.

  1. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello, i know this is a LFD related question that may be posted on the LFD forum but my question is more about the WHM/cPanel processes being reported by LFD.

    Since update to version 11.52.0.20, LFD sends emails report with subject "lfd on serverdomain.com: Excessive resource usage: admin".

    The usage ressource excessed is time so no cpu or memory are overused.

    This is the list of the executables being reported:
    • /usr/local/cpanel/3rdparty/perl/514/bin/perl
    • /usr/sbin/dovecot
    • /usr/sbin/crond
    • /usr/sbin/pure-authd
    • /sbin/init
    • /sbin/rsyslogd
    • /sbin/udevd
    • /bin/bash
    • /usr/sbin/atd
    • /usr/sbin/abrtd
    • /usr/libexec/dovecot/config
    • /usr/libexec/dovecot/log

    I know sometime paths change and can cause these types of error because the paths are changed before LFD update it's csf.pignore list.

    I have seen in the LFD changelog many csf.pignore list update concerning WHM cPanel processes but i think the list that is beeing used by our LFD is not updated because we have made changes to it.

    I have tried to find the default updated version of csf.pignore to compare with mine and the new processes reported but i could not find it.

    The server load is normal and low and everything seems to be working ok.

    Can someone tell me if this is the normal behavior of these processes to always be up and running, where to get the updated csf.pignore or how to investigate this?

    Thank you
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm not sure you'll find this mentioned anywhere, but removing and reinstalling CSF is not too tough to do. Making a few notes on your configuration settings first of course, would be wise.

    You're not getting 1 single email flagging all of those at once, listing admin as the user I don't think are you?

    Have you changed this setting in your config at all, lowering it too low maybe?
     
  3. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi Infopro, thank you for the fast reply.
    Reinstalling LFD is a good idea and sure i would have to make a list of the custom entries and configurations changes.
    We always do some kind of changelog when we change the default values on the server so we can track/undo if it causes problem. I could search our changelogs to backup our custom settings and do the reinstall.

    For the emails, we get individual emails for each executable/command/process and also one grouping all of them, here is one example of it:
    Subject : lfd on serverdomain.com: Excessive processes running under user admin
    Code:
    
    Time:          Wed Nov 18 06:30:23 2015 -0500
    Account:       admin
    Process Count: 23 (Not killed)
    
    Process Information:
    
    User:admin PID:1 PPID:0 Run Time:31207889(secs) Memory:19232(kb) exe:/sbin/init cmd:/sbin/init
    User:admin PID:6841 PPID:6841 Run Time:2701(secs) Memory:37024(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:queueprocd - wait to process a task
    User:admin PID:6870 PPID:6870 Run Time:2699(secs) Memory:78084(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cPhulkd - processor
    User:admin PID:6912 PPID:6912 Run Time:2698(secs) Memory:132200(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpdavd - accepting connections on 2077, 2078, 2079, and 2080
    User:admin PID:6915 PPID:6915 Run Time:2697(secs) Memory:23660(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - sleeping for logs
    User:admin PID:11342 PPID:11341 Run Time:1192(secs) Memory:76524(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:/usr/local/cpanel/3rdparty/bin/perl /usr/local/cpanel/bin/leechprotect
    User:admin PID:13226 PPID:13226 Run Time:1912555(secs) Memory:9448(kb) exe:/bin/bash cmd:/bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/cl-t135-393cl.privatedns.com.pid
    User:admin PID:13605 PPID:13605 Run Time:452(secs) Memory:198876(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:/usr/local/cpanel/3rdparty/perl/514/bin/spamd --daemonize --allowed-ips=127.0.0.1 --max-children=5 --pidfile=/var/run/spamd.pid -i127.0.0.1
    User:admin PID:13696 PPID:13696 Run Time:443(secs) Memory:18092(kb) exe:/usr/sbin/dovecot cmd:/usr/sbin/dovecot
    User:admin PID:13701 PPID:13696 Run Time:443(secs) Memory:13604(kb) exe:/usr/libexec/dovecot/log cmd:dovecot/log
    User:admin PID:13703 PPID:13696 Run Time:443(secs) Memory:15752(kb) exe:/usr/libexec/dovecot/config cmd:dovecot/config
    User:admin PID:13733 PPID:13733 Run Time:441(secs) Memory:83044(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:tailwatchd
    User:admin PID:16708 PPID:16708 Run Time:0(secs) Memory:162588(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:lfd - sleeping
    User:admin PID:16715 PPID:16708 Run Time:0(secs) Memory:160616(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:lfd - checking system integrity
    User:admin PID:16717 PPID:16715 Run Time:0(secs) Memory:100924(kb) exe:/usr/bin/md5sum cmd:/usr/bin/md5sum --check /var/lib/csf/csf.tempint
    User:admin PID:16722 PPID:16708 Run Time:0(secs) Memory:161108(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:lfd - (child) (PT) sending alert email for process 13696
    User:admin PID:19585 PPID:19585 Run Time:613553(secs) Memory:117104(kb) exe:/usr/sbin/crond cmd:crond
    User:admin PID:26907 PPID:26907 Run Time:2948760(secs) Memory:39300(kb) exe:/usr/sbin/pure-authd cmd:/usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/local/cpanel/bin/pureauth
    User:admin PID:28104 PPID:28104 Run Time:8911461(secs) Memory:10652(kb) exe:/sbin/udevd cmd:/sbin/udevd -d
    User:admin PID:28945 PPID:28945 Run Time:28952997(secs) Memory:249860(kb) exe:/sbin/rsyslogd cmd:/sbin/rsyslogd -i /var/run/syslogd.pid -c 5
    User:admin PID:29866 PPID:29866 Run Time:8910841(secs) Memory:21104(kb) exe:/usr/sbin/atd cmd:/usr/sbin/atd
    User:admin PID:30146 PPID:30146 Run Time:8910670(secs) Memory:180940(kb) exe:/usr/sbin/abrtd cmd:/usr/sbin/abrtd
    User:admin PID:31614 PPID:31614 Run Time:3181(secs) Memory:144992(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:/usr/local/cpanel/3rdparty/perl/514/sbin/munin-node
    
    For the setting changed lowered no we didn't, and they are all way over the limit, here is an example :
    Exceeded: 8910670 > 1800 (seconds)

    So we have some hypothesis:
    • Maybe theses processes were "closed" after used and no longer are (are they all supposed to be always up and running?)
    • Maybe these processes changed path, were "ignored" and no longer are
    • Maybe these processes were run under root, cpanel or other before and was "ignored" by LFD
    • Maybe the user admin was "ignored" by LFD before and is not anymore

    We would prefer to identify the cause and solve it rather than just reinstall but we keep this option on the list.

    Are these additionnal informations giving you a hint on something?

    Thank you again for helping.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi cPanelMichael, thank you for the reply.
    Honestly i did not had time to follow up on this and completely forgot about.
    I just did a test commenting the lines added into the csf.pignore file and the email notifications are back.

    I will try to reinstall it in the next few days to see if you don't have any other suggestion.

    Thank you
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I find it very odd that a process like MySQL is running as a user called 'admin' and not 'root' or 'mysql'. Same with a lot of the other processes.

    Have you added an extra UID 0 user (root-equivalent?) If not I suspect your system may be compromised, and this is not something I say lightly or very often. Assuming you are on CentOS can you check your /etc/passwd file with this command?

    Code:
    grep ':0:' /etc/passwd
    
    The output should be:

    Code:
    root:x:0:0:root:/root:/bin/bash
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    operator:x:11:0:operator:/root:/sbin/nologin
    
    If there are any extra users with UID 0 or a line starting with "admin:x:0:0:admin" you should assume your system is compromised if you did not create said 'admin' user. Same if any other line has :0:0: and is not a name in the above list I provided.
     
    Infopro likes this.
  7. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello quizknows, yes we have another non root UID 0 user which is called admin.
    I know some datacenters create this for support on their side, or for whatever other reason they do this when setuping a new server, ours did this.

    This user is present since we have the server delivered and we have credentials for it so i don't think we should worry about it.

    Here is the output of the command you asked:
    Code:
    root:x:0:0:root:/root:/bin/bash
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    operator:x:11:0:operator:/root:/sbin/nologin
    admin:x:0:0:admin:/home/admin:/bin/bash
    Thank you
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It is good news that you are aware of the users origin and credentials :) While I personally don't like that method (extra UID 0 user) I do understand that some companies use it. This is why configserver is seeing those processes run as 'admin' instead of 'root' because technically both are UID 0, so as far as the system is concerned, there is really no difference. Personally I much prefer the addition of a user with sudo privileges where needed, rather than two users with the same numeric UID, but to each their own.
     
    Infopro likes this.
  9. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    It's good to confirm that nothing has been compromised and other companies do this with admin user!

    But the question still persists... Why? Why since update to version 11.52.0.20?

    Can that be related to the other tread i opened on cronjobs being saved under user admin and root?

    Configure cPanel Cron Jobs double entries since update to version 11.52.1.2

    It seems to be related to some kind of users/tasks/merge/mix/switch from this version update that i don't understand.

    Thank you again for the help, it is realy appreciated!
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Having two users with UID 0 will cause weird stuff to happen. Linux works with numeric UIDs. When you 'ls' a directory for example it's actually thinking "these files are owned by UID ###" not "these files are owned by $username". If you rsync files to a system where the numeric user ID isn't taken, ls will list them as owned by a number (like 512 or something) instead of a username.

    When two usernames share a numeric user ID, the system can have unexpected behaviour. I suspect (though do not know for certain) that this is why CSF is alerting you to the admin user. While this may not be the best solution, if the admin user is necessary, you could add "0" on it's own line to /etc/csf/csf.uidignore. However, my recommended solution would be to remove the admin user with userdel and recreate it with a proper and unique numeric user ID (useradd should do this by default), and grant it sudo privileges for administrative purposes. Alternately you could use the usermod command to set a new user and group ID to the admin user (you might have to create the group in that case). If you are unsure of any of this you should have an experienced system administrator perform the task.
     
    chrisweb likes this.
  11. chrisweb

    chrisweb Member

    Joined:
    Nov 18, 2014
    Messages:
    21
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thank you for the reply and the explanations quizknows, this all makes sens and i now understand the overall concept.

    As you suggested i will take a look at this with system administrator.

    Thank you again and again for the help!
     
    quizknows likes this.
Loading...

Share This Page