Excessive resource usage and Suspicious process

adeyjones

Well-Known Member
Apr 26, 2019
69
8
8
Merseyside, UK
cPanel Access Level
Root Administrator
Hi all
I get 2 emails on a nightly basis which are the following:

Time: Fri May 7 10:13:24 2021 +0000
Account: xxx
Resource: Process Time
Exceeded: 32362 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 31780 (Parent PID:30465)
Killed: No


and

Time: Fri May 7 20:44:41 2021 +0000
PID: 18318 (Parent PID:30465)
Account: xxx
Uptime: 11407 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:47914


Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/home/surgeryweb/.razor/razor-agent.log
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm


I have looked at various past threads on here and added the following to my csf.pignore file:

Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child
But none of these 3 lines have stopped the emails coming, how can I stop them?

Thanks.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,693
350
438
Finland
cPanel Access Level
Root Administrator
Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child
Maybe it should be:
Code:
cmd:spamd child
EDIT:
Never mind
Code:
pcmd:spamd child
and
Code:
cmd:spamd child
are the same.
 

adeyjones

Well-Known Member
Apr 26, 2019
69
8
8
Merseyside, UK
cPanel Access Level
Root Administrator

adeyjones

Well-Known Member
Apr 26, 2019
69
8
8
Merseyside, UK
cPanel Access Level
Root Administrator
Nope unfortunately I am still getting these:

Time: Mon May 10 11:14:26 2021 +0000
Account: xxx
Resource: Process Time
Exceeded: 36254 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 13403 (Parent PID:12587)
Killed: No


Time: Mon May 10 11:14:26 2021 +0000
PID: 13403 (Parent PID:12587)
Account: xxx
Uptime: 36254 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:39614


Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,481
1,966
363
cPanel Access Level
Root Administrator
Hey there! These emails are generated by CSF and isn't something that is controlled by cPanel. Since you have already tried adding values to the ignore list, it might be worth contacting the CSF team directly (ConfigServer Technical Support) to see if there is an issue there, or if they would recommend a different configuration.