Excessive resource usage and Suspicious process

[adeyjones]

Hi all
I get 2 emails on a nightly basis which are the following:

Time: Fri May 7 10:13:24 2021 +0000
Account: xxx
Resource: Process Time
Exceeded: 32362 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 31780 (Parent PID:30465)
Killed: No

and

Time: Fri May 7 20:44:41 2021 +0000
PID: 18318 (Parent PID:30465)
Account: xxx
Uptime: 11407 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:47914


Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/home/surgeryweb/.razor/razor-agent.log
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

I have looked at various past threads on here and added the following to my csf.pignore file:

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child

But none of these 3 lines have stopped the emails coming, how can I stop them?

Thanks.

 

[quietFinn]

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child

Maybe it should be:

cmd:spamd child

EDIT:
Never mind

pcmd:spamd child

and

cmd:spamd child

are the same.

 

[adeyjones]

Maybe it should be:

cmd:spamd child

EDIT:
Never mind

pcmd:spamd child

and

cmd:spamd child

are the same.

Thanks for the reply, it may not be the same after all as i've just found this other (fairly recent) thread (Suspicious process running under user - warnings found) that advises to use

cmd:spamd child

so i'll see if I get any more emails in the next 12-24 hours.

 

[adeyjones]

Nope unfortunately I am still getting these:

Time: Mon May 10 11:14:26 2021 +0000
Account: xxx
Resource: Process Time
Exceeded: 36254 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 13403 (Parent PID:12587)
Killed: No


Time: Mon May 10 11:14:26 2021 +0000
PID: 13403 (Parent PID:12587)
Account: xxx
Uptime: 36254 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:39614


Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

 

[cPRex]

Hey there! These emails are generated by CSF and isn't something that is controlled by cPanel. Since you have already tried adding values to the ignore list, it might be worth contacting the CSF team directly (ConfigServer Technical Support) to see if there is an issue there, or if they would recommend a different configuration.