HELP cPanel keeps throwing me emails!!!!

megalogs

Member
Jan 14, 2008
18
0
51
I keep recieving these emails on my cPanel VPS:

email 1: lfd on fire.ihubhost.com: Excessive resource usage: avahi (3570)‏

Time: Mon Feb 15 13:02:06 2010 +0000
Account: avahi
Resource: Process Time
Exceeded: 6726481 > 1800 (seconds)
Executable: /usr/sbin/avahi-daemon
Command Line: avahi-daemon: running [fire.local]
PID: 3570
Killed: No
email 2: lfd on fire.ihubhost.com: Excessive resource usage: avahi (3571)‏

Time: Mon Feb 15 13:02:07 2010 +0000
Account: avahi
Resource: Process Time
Exceeded: 6726481 > 1800 (seconds)
Executable: /usr/sbin/avahi-daemon
Command Line: avahi-daemon: chroot helper
PID: 3571
Killed: No
email 3: lfd on fire.ihubhost.com: Suspicious process running under user dbus‏

Time: Mon Feb 15 13:02:06 2010 +0000
PID: 1958
Account: dbus
Uptime: 6726533 seconds


Executable:

/bin/dbus-daemon\000.0.0\00\00\00 (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

dbus-daemon --system


Network connections by the process (if any):



Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/dev/null
/etc/dbus-1/system.d


Memory maps by the process (if any):

00110000-0024f000 r-xp 00000000 08:03 458803 /lib/libc-2.5.so
0024f000-00251000 r-xp 0013f000 08:03 458803 /lib/libc-2.5.so
00251000-00252000 rwxp 00141000 08:03 458803 /lib/libc-2.5.so
00252000-00255000 rwxp 00252000 00:00 0
00304000-0031e000 r-xp 00000000 08:03 458802 /lib/ld-2.5.so
0031e000-0031f000 r-xp 00019000 08:03 458802 /lib/ld-2.5.so
0031f000-00320000 rwxp 0001a000 08:03 458802 /lib/ld-2.5.so
003fb000-0041a000 r-xp 00000000 08:03 458806 /lib/libexpat.so.0.5.0
0041a000-0041c000 rwxp 0001e000 08:03 458806 /lib/libexpat.so.0.5.0
00537000-00572000 r-xp 00000000 08:03 458812 /lib/libsepol.so.1
00572000-00573000 rwxp 0003b000 08:03 458812 /lib/libsepol.so.1
00573000-0057d000 rwxp 00573000 00:00 0
005d4000-005ea000 r-xp 00000000 08:03 458813 /lib/libselinux.so.1
005ea000-005ec000 rwxp 00015000 08:03 458813 /lib/libselinux.so.1
006b0000-006fe000 r-xp 00000000 08:03 34134 /bin/dbus-daemon
006fe000-00700000 rwxp 0004e000 08:03 34134 /bin/dbus-daemon
0077a000-00793000 r-xp 00000000 08:03 458933 /lib/libaudit.so.0.0.0
00793000-00795000 rwxp 00018000 08:03 458933 /lib/libaudit.so.0.0.0
007a1000-007a4000 r-xp 00000000 08:03 458809 /lib/libcap.so.1.10
007a4000-007a5000 rwxp 00002000 08:03 458809 /lib/libcap.so.1.10
00b4d000-00b56000 r-xp 00000000 08:03 458848 /lib/libnss_files-2.5.so
00b56000-00b57000 r-xp 00008000 08:03 458848 /lib/libnss_files-2.5.so
00b57000-00b58000 rwxp 00009000 08:03 458848 /lib/libnss_files-2.5.so
00c28000-00c3b000 r-xp 00000000 08:03 458807 /lib/libpthread-2.5.so
00c3b000-00c3c000 r-xp 00013000 08:03 458807 /lib/libpthread-2.5.so
00c3c000-00c3d000 rwxp 00014000 08:03 458807 /lib/libpthread-2.5.so
00c3d000-00c3f000 rwxp 00c3d000 00:00 0
00ddc000-00ddd000 r-xp 00ddc000 00:00 0 [vdso]
00e9d000-00e9f000 r-xp 00000000 08:03 458804 /lib/libdl-2.5.so
00e9f000-00ea0000 r-xp 00001000 08:03 458804 /lib/libdl-2.5.so
00ea0000-00ea1000 rwxp 00002000 08:03 458804 /lib/libdl-2.5.so
08ef4000-08f15000 rw-p 08ef4000 00:00 0 [heap]
b7f29000-b7f2c000 rw-p b7f29000 00:00 0
bfda4000-bfdb9000 rw-p bffea000 00:00 0 [stack]
email 4: lfd on fire.ihubhost.com: Suspicious process running under user avahi‏

Time: Mon Feb 15 13:02:06 2010 +0000
PID: 3570
Account: avahi
Uptime: 6726481 seconds


Executable:

/usr/sbin/avahi-daemon


Command Line (often faked in exploits):

avahi-daemon: running [fire.local]


Network connections by the process (if any):

udp: 0.0.0.0:5353 -> 0.0.0.0:0
udp6: 0.0.0.0:5353 -> 0.0.0.0:0
udp: 0.0.0.0:35194 -> 0.0.0.0:0
udp6: 0.0.0.0:47464 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null


Memory maps by the process (if any):

00133000-0014d000 r-xp 00000000 08:03 458802 /lib/ld-2.5.so
0014d000-0014e000 r-xp 00019000 08:03 458802 /lib/ld-2.5.so
0014e000-0014f000 rwxp 0001a000 08:03 458802 /lib/ld-2.5.so
00151000-00290000 r-xp 00000000 08:03 458803 /lib/libc-2.5.so
00290000-00292000 r-xp 0013f000 08:03 458803 /lib/libc-2.5.so
00292000-00293000 rwxp 00141000 08:03 458803 /lib/libc-2.5.so
00293000-00296000 rwxp 00293000 00:00 0
00298000-0029a000 r-xp 00000000 08:03 458804 /lib/libdl-2.5.so
0029a000-0029b000 r-xp 00001000 08:03 458804 /lib/libdl-2.5.so
0029b000-0029c000 rwxp 00002000 08:03 458804 /lib/libdl-2.5.so
0029e000-002b1000 r-xp 00000000 08:03 458807 /lib/libpthread-2.5.so
002b1000-002b2000 r-xp 00013000 08:03 458807 /lib/libpthread-2.5.so
002b2000-002b3000 rwxp 00014000 08:03 458807 /lib/libpthread-2.5.so
002b3000-002b5000 rwxp 002b3000 00:00 0
002b7000-002bb000 r-xp 00000000 08:03 9437930 /usr/lib/libdaemon.so.0.2.4
002bb000-002bc000 rwxp 00003000 08:03 9437930 /usr/lib/libdaemon.so.0.2.4
002bc000-002bd000 rwxp 002bc000 00:00 0
002bf000-002f3000 r-xp 00000000 08:03 9437400 /usr/lib/libavahi-core.so.4.0.5
002f3000-002f4000 rwxp 00033000 08:03 9437400 /usr/lib/libavahi-core.so.4.0.5
00362000-00365000 r-xp 00000000 08:03 458809 /lib/libcap.so.1.10
00365000-00366000 rwxp 00002000 08:03 458809 /lib/libcap.so.1.10
0036f000-00378000 r-xp 00000000 08:03 458848 /lib/libnss_files-2.5.so
00378000-00379000 r-xp 00008000 08:03 458848 /lib/libnss_files-2.5.so
00379000-0037a000 rwxp 00009000 08:03 458848 /lib/libnss_files-2.5.so
008c2000-008ff000 r-xp 00000000 08:03 458810 /lib/libdbus-1.so.3.4.0
008ff000-00901000 rwxp 0003c000 08:03 458810 /lib/libdbus-1.so.3.4.0
0095b000-0097a000 r-xp 00000000 08:03 458806 /lib/libexpat.so.0.5.0
0097a000-0097c000 rwxp 0001e000 08:03 458806 /lib/libexpat.so.0.5.0
00b14000-00b15000 r-xp 00b14000 00:00 0 [vdso]
00be7000-00bf2000 r-xp 00000000 08:03 9437256 /usr/lib/libavahi-common.so.3.4.3
00bf2000-00bf3000 rwxp 0000a000 08:03 9437256 /usr/lib/libavahi-common.so.3.4.3
08048000-08061000 r-xp 00000000 08:03 9044229 /usr/sbin/avahi-daemon
08061000-08064000 rw-p 00018000 08:03 9044229 /usr/sbin/avahi-daemon
09f6b000-09f8c000 rw-p 09f6b000 00:00 0 [heap]
b7fe1000-b7fe4000 rw-p b7fe1000 00:00 0
bfb34000-bfb49000 rw-p bffea000 00:00 0 [stack]
Please help,

Thanks in Advance!
 
Last edited:

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I keep recieving these emails on my cPanel VPS:

email 1: lfd on fire.ihubhost.com: Excessive resource usage: avahi (3570)‏

email 2: lfd on fire.ihubhost.com: Excessive resource usage: avahi (3571)‏

email 3: lfd on fire.ihubhost.com: Suspicious process running under user dbus‏

email 4: lfd on fire.ihubhost.com: Suspicious process running under user avahi‏

Please help,

Thanks in Advance!
All of the e-mails mentioned do not originate from cPanel; the messages originate from an installation of the third-party software CSF/LFD.

For in-depth assistance with CSF (& LFD), I recommend referring to the vendor's official web site and their available support channels:
ConfigServer Security & Firewall
ConfigServer Scripts Forum - Powered by vBulletin
ConfigServer by Way to the Web
Way to the Web Technical Support