The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Issue with qpidd

Discussion in 'General Discussion' started by isaacl, Jun 26, 2012.

  1. isaacl

    isaacl Member

    Joined:
    Jun 26, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've been getting an email from lfd (the CSF firewall, and I know that's not written by cPanel) about escessive resource usage and suspicious process running under user qpidd.
    I am trying to find out what this user is, and if it's something to be concerned about, since I haven't been able to get any info about it.
    Here's the full email:

    Code:
    Time:    Tue Jun 26 13:21:02 2012 -0400
    PID:     2492
    Account: qpidd
    Uptime:  583826 seconds
    
    
    Executable:
    
    /usr/sbin/qpidd
    
    
    Command Line (often faked in exploits):
    
    /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon
    
    
    Network connections by the process (if any):
    
    tcp: 0.0.0.0:5672 -> 0.0.0.0:0
    tcp6: 0.0.0.0:5672 -> 0.0.0.0:0
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    anon_inode:[eventpoll]
    /var/lib/qpidd/lock
    
    
    Memory maps by the process (if any):
    
    00400000-00416000 r-xp 00000000 fd:00 134850                             /usr/sbin/qpidd
    00616000-00617000 rw-p 00016000 fd:00 134850                             /usr/sbin/qpidd
    00a48000-00a8a000 rw-p 00000000 00:00 0
    00a8a000-00aab000 rw-p 00000000 00:00 0
    7f8070000000-7f8070021000 rw-p 00000000 00:00 0
    7f8070021000-7f8074000000 ---p 00000000 00:00 0
    7f8074000000-7f8074021000 rw-p 00000000 00:00 0
    7f8074021000-7f8078000000 ---p 00000000 00:00 0
    7f8078000000-7f8078021000 rw-p 00000000 00:00 0
    7f8078021000-7f807c000000 ---p 00000000 00:00 0
    7f807c000000-7f807c021000 rw-p 00000000 00:00 0
    7f807c021000-7f8080000000 ---p 00000000 00:00 0
    7f8080000000-7f8080021000 rw-p 00000000 00:00 0
    7f8080021000-7f8084000000 ---p 00000000 00:00 0
    7f8086eff000-7f8086f00000 ---p 00000000 00:00 0
    7f8086f00000-7f8087900000 rw-p 00000000 00:00 0
    7f8087900000-7f8087901000 ---p 00000000 00:00 0
    7f8087901000-7f8088301000 rw-p 00000000 00:00 0
    7f8088301000-7f8088302000 ---p 00000000 00:00 0
    7f8088302000-7f8088d02000 rw-p 00000000 00:00 0
    7f8088d02000-7f8088d03000 ---p 00000000 00:00 0
    7f8088d03000-7f8089703000 rw-p 00000000 00:00 0
    7f8089703000-7f8089707000 r-xp 00000000 fd:00 132108                     /usr/lib64/sasl2/libanonymous.so.2.0.23
    7f8089707000-7f8089906000 ---p 00004000 fd:00 132108                     /usr/lib64/sasl2/libanonymous.so.2.0.23
    7f8089906000-7f8089907000 r--p 00003000 fd:00 132108                     /usr/lib64/sasl2/libanonymous.so.2.0.23
    7f8089907000-7f8089908000 rw-p 00004000 fd:00 132108                     /usr/lib64/sasl2/libanonymous.so.2.0.23
    7f8089908000-7f8089a77000 r-xp 00000000 fd:00 2097232                    /lib64/libdb-4.7.so
    7f8089a77000-7f8089c76000 ---p 0016f000 fd:00 2097232                    /lib64/libdb-4.7.so
    7f8089c76000-7f8089c7c000 rw-p 0016e000 fd:00 2097232                    /lib64/libdb-4.7.so
    7f8089c7c000-7f8089c81000 r-xp 00000000 fd:00 132111                     /usr/lib64/sasl2/libsasldb.so.2.0.23
    7f8089c81000-7f8089e80000 ---p 00005000 fd:00 132111                     /usr/lib64/sasl2/libsasldb.so.2.0.23
    7f8089e80000-7f8089e81000 r--p 00004000 fd:00 132111                     /usr/lib64/sasl2/libsasldb.so.2.0.23
    7f8089e81000-7f8089e82000 rw-p 00005000 fd:00 132111                     /usr/lib64/sasl2/libsasldb.so.2.0.23
    7f8089e82000-7f8089e83000 ---p 00000000 00:00 0
    7f8089e83000-7f808a883000 rw-p 00000000 00:00 0
    7f808a883000-7f808a898000 r-xp 00000000 fd:00 2097216                    /lib64/libz.so.1.2.3
    7f808a898000-7f808aa97000 ---p 00015000 fd:00 2097216                    /lib64/libz.so.1.2.3
    7f808aa97000-7f808aa98000 r--p 00014000 fd:00 2097216                    /lib64/libz.so.1.2.3
    7f808aa98000-7f808aa99000 rw-p 00015000 fd:00 2097216                    /lib64/libz.so.1.2.3
    7f808aa99000-7f808aa9c000 r-xp 00000000 fd:00 2097520                    /lib64/libplds4.so
    7f808aa9c000-7f808ac9b000 ---p 00003000 fd:00 2097520                    /lib64/libplds4.so
    7f808ac9b000-7f808ac9c000 r--p 00002000 fd:00 2097520                    /lib64/libplds4.so
    7f808ac9c000-7f808ac9d000 rw-p 00003000 fd:00 2097520                    /lib64/libplds4.so
    7f808ac9d000-7f808aca1000 r-xp 00000000 fd:00 2097519                    /lib64/libplc4.so
    7f808aca1000-7f808aea0000 ---p 00004000 fd:00 2097519                    /lib64/libplc4.so
    7f808aea0000-7f808aea1000 r--p 00003000 fd:00 2097519                    /lib64/libplc4.so
    7f808aea1000-7f808aea2000 rw-p 00004000 fd:00 2097519                    /lib64/libplc4.so
    7f808aea2000-7f808aec2000 r-xp 00000000 fd:00 133392                     /usr/lib64/libnssutil3.so
    7f808aec2000-7f808b0c1000 ---p 00020000 fd:00 133392                     /usr/lib64/libnssutil3.so
    7f808b0c1000-7f808b0c7000 r--p 0001f000 fd:00 133392                     /usr/lib64/libnssutil3.so
    7f808b0c7000-7f808b0c8000 rw-p 00025000 fd:00 133392                     /usr/lib64/libnssutil3.so
    7f808b0c8000-7f808b101000 r-xp 00000000 fd:00 2097202                    /lib64/libnspr4.so
    7f808b101000-7f808b300000 ---p 00039000 fd:00 2097202                    /lib64/libnspr4.so
    7f808b300000-7f808b301000 r--p 00038000 fd:00 2097202                    /lib64/libnspr4.so
    7f808b301000-7f808b303000 rw-p 00039000 fd:00 2097202                    /lib64/libnspr4.so
    7f808b303000-7f808b305000 rw-p 00000000 00:00 0
    7f808b305000-7f808b33c000 r-xp 00000000 fd:00 134829                     /usr/lib64/libssl3.so
    7f808b33c000-7f808b53c000 ---p 00037000 fd:00 134829                     /usr/lib64/libssl3.so
    7f808b53c000-7f808b53e000 r--p 00037000 fd:00 134829                     /usr/lib64/libssl3.so
    7f808b53e000-7f808b53f000 rw-p 00039000 fd:00 134829                     /usr/lib64/libssl3.so
    7f808b53f000-7f808b540000 rw-p 00000000 00:00 0
    7f808b540000-7f808b673000 r-xp 00000000 fd:00 134827                     /usr/lib64/libnss3.so
    7f808b673000-7f808b872000 ---p 00133000 fd:00 134827                     /usr/lib64/libnss3.so
    7f808b872000-7f808b877000 r--p 00132000 fd:00 134827                     /usr/lib64/libnss3.so
    7f808b877000-7f808b879000 rw-p 00137000 fd:00 134827                     /usr/lib64/libnss3.so
    7f808b879000-7f808b87b000 rw-p 00000000 00:00 0
    7f808b87b000-7f808b8af000 r-xp 00000000 fd:00 134852                     /usr/lib64/libsslcommon.so.6.0.0
    7f808b8af000-7f808baae000 ---p 00034000 fd:00 134852                     /usr/lib64/libsslcommon.so.6.0.0
    7f808baae000-7f808bab1000 rw-p 00033000 fd:00 134852                     /usr/lib64/libsslcommon.so.6.0.0
    7f808bab1000-7f808bad4000 r-xp 00000000 fd:00 525640                     /usr/lib64/qpid/daemon/ssl.so
    7f808bad4000-7f808bcd3000 ---p 00023000 fd:00 525640                     /usr/lib64/qpid/daemon/ssl.so
    7f808bcd3000-7f808bcd6000 rw-p 00022000 fd:00 525640                     /usr/lib64/qpid/daemon/ssl.so
    7f808bcd6000-7f808bd0e000 r-xp 00000000 fd:00 524911                     /usr/lib64/qpid/daemon/acl.so
    7f808bd0e000-7f808bf0d000 ---p 00038000 fd:00 524911                     /usr/lib64/qpid/daemon/acl.so
    7f808bf0d000-7f808bf10000 rw-p 00037000 fd:00 524911                     /usr/lib64/qpid/daemon/acl.so
    7f808bf10000-7f808bf22000 r-xp 00000000 fd:00 526479                     /usr/lib64/qpid/daemon/replicating_listener.so
    7f808bf22000-7f808c121000 ---p 00012000 fd:00 526479                     /usr/lib64/qpid/daemon/replicating_listener.so
    7f808c121000-7f808c123000 rw-p 00011000 fd:00 526479                     /usr/lib64/qpid/daemon/replicating_listener.so
    7f808c123000-7f808c12f000 r-xp 00000000 fd:00 526480                     /usr/lib64/qpid/daemon/replication_exchange.so
    7f808c12f000-7f808c32f000 ---p 0000c000 fd:00 526480                     /usr/lib64/qpid/daemon/replication_exchange.so
    7f808c32f000-7f808c330000 rw-p 0000c000 fd:00 526480                     /usr/lib64/qpid/daemon/replication_exchange.so
    7f808c330000-7f808c38d000 r-xp 00000000 fd:00 2097158                    /lib64/libfreebl3.so
    7f808c38d000-7f808c58c000 ---p 0005d000 fd:00 2097158                    /lib64/libfreebl3.so
    7f808c58c000-7f808c58d000 r--p 0005c000 fd:00 2097158                    /lib64/libfreebl3.so
    7f808c58d000-7f808c58e000 rw-p 0005d000 fd:00 2097158                    /lib64/libfreebl3.so
    7f808c58e000-7f808c592000 rw-p 00000000 00:00 0
    7f808c592000-7f808c599000 r-xp 00000000 fd:00 2097169                    /lib64/libcrypt-2.12.so
    7f808c599000-7f808c799000 ---p 00007000 fd:00 2097169                    /lib64/libcrypt-2.12.so
    7f808c799000-7f808c79a000 r--p 00007000 fd:00 2097169                    /lib64/libcrypt-2.12.so
    7f808c79a000-7f808c79b000 rw-p 00008000 fd:00 2097169                    /lib64/libcrypt-2.12.so
    7f808c79b000-7f808c7c9000 rw-p 00000000 00:00 0
    7f808c7c9000-7f808c7df000 r-xp 00000000 fd:00 2097191                    /lib64/libresolv-2.12.so
    7f808c7df000-7f808c9df000 ---p 00016000 fd:00 2097191                    /lib64/libresolv-2.12.so
    7f808c9df000-7f808c9e0000 r--p 00016000 fd:00 2097191                    /lib64/libresolv-2.12.so
    7f808c9e0000-7f808c9e1000 rw-p 00017000 fd:00 2097191                    /lib64/libresolv-2.12.so
    7f808c9e1000-7f808c9e3000 rw-p 00000000 00:00 0
    7f808c9e3000-7f808c9e6000 r-xp 00000000 fd:00 132319                     /usr/lib64/libboost_system.so.5
    7f808c9e6000-7f808cbe5000 ---p 00003000 fd:00 132319                     /usr/lib64/libboost_system.so.5
    7f808cbe5000-7f808cbe6000 rw-p 00002000 fd:00 132319                     /usr/lib64/libboost_system.so.5
    7f808cbe6000-7f808cbfd000 r-xp 00000000 fd:00 2097189                    /lib64/libpthread-2.12.so
    7f808cbfd000-7f808cdfc000 ---p 00017000 fd:00 2097189                    /lib64/libpthread-2.12.so
    7f808cdfc000-7f808cdfd000 r--p 00016000 fd:00 2097189                    /lib64/libpthread-2.12.so
    7f808cdfd000-7f808cdfe000 rw-p 00017000 fd:00 2097189                    /lib64/libpthread-2.12.so
    7f808cdfe000-7f808ce02000 rw-p 00000000 00:00 0
    7f808ce02000-7f808cf88000 r-xp 00000000 fd:00 2097165                    /lib64/libc-2.12.so
    7f808cf88000-7f808d188000 ---p 00186000 fd:00 2097165                    /lib64/libc-2.12.so
    7f808d188000-7f808d18c000 r--p 00186000 fd:00 2097165                    /lib64/libc-2.12.so
    7f808d18c000-7f808d18d000 rw-p 0018a000 fd:00 2097165                    /lib64/libc-2.12.so
    7f808d18d000-7f808d192000 rw-p 00000000 00:00 0
    7f808d192000-7f808d1a8000 r-xp 00000000 fd:00 2097154                    /lib64/libgcc_s-4.4.6-20110824.so.1
    7f808d1a8000-7f808d3a7000 ---p 00016000 fd:00 2097154                    /lib64/libgcc_s-4.4.6-20110824.so.1
    7f808d3a7000-7f808d3a8000 rw-p 00015000 fd:00 2097154                    /lib64/libgcc_s-4.4.6-20110824.so.1
    7f808d3a8000-7f808d42b000 r-xp 00000000 fd:00 2097173                    /lib64/libm-2.12.so
    7f808d42b000-7f808d62a000 ---p 00083000 fd:00 2097173                    /lib64/libm-2.12.so
    7f808d62a000-7f808d62b000 r--p 00082000 fd:00 2097173                    /lib64/libm-2.12.so
    7f808d62b000-7f808d62c000 rw-p 00083000 fd:00 2097173                    /lib64/libm-2.12.so
    7f808d62c000-7f808d714000 r-xp 00000000 fd:00 132046                     /usr/lib64/libstdc++.so.6.0.13
    7f808d714000-7f808d914000 ---p 000e8000 fd:00 132046                     /usr/lib64/libstdc++.so.6.0.13
    7f808d914000-7f808d91b000 r--p 000e8000 fd:00 132046                     /usr/lib64/libstdc++.so.6.0.13
    7f808d91b000-7f808d91d000 rw-p 000ef000 fd:00 132046                     /usr/lib64/libstdc++.so.6.0.13
    7f808d91d000-7f808d932000 rw-p 00000000 00:00 0
    7f808d932000-7f808d94b000 r-xp 00000000 fd:00 132104                     /usr/lib64/libsasl2.so.2.0.23
    7f808d94b000-7f808db4a000 ---p 00019000 fd:00 132104                     /usr/lib64/libsasl2.so.2.0.23
    7f808db4a000-7f808db4b000 r--p 00018000 fd:00 132104                     /usr/lib64/libsasl2.so.2.0.23
    7f808db4b000-7f808db4c000 rw-p 00019000 fd:00 132104                     /usr/lib64/libsasl2.so.2.0.23
    7f808db4c000-7f808db53000 r-xp 00000000 fd:00 2097193                    /lib64/librt-2.12.so
    7f808db53000-7f808dd52000 ---p 00007000 fd:00 2097193                    /lib64/librt-2.12.so
    7f808dd52000-7f808dd53000 r--p 00006000 fd:00 2097193                    /lib64/librt-2.12.so
    7f808dd53000-7f808dd54000 rw-p 00007000 fd:00 2097193                    /lib64/librt-2.12.so
    7f808dd54000-7f808dd56000 r-xp 00000000 fd:00 2097171                    /lib64/libdl-2.12.so
    7f808dd56000-7f808df56000 ---p 00002000 fd:00 2097171                    /lib64/libdl-2.12.so
    7f808df56000-7f808df57000 r--p 00002000 fd:00 2097171                    /lib64/libdl-2.12.so
    7f808df57000-7f808df58000 rw-p 00003000 fd:00 2097171                    /lib64/libdl-2.12.so
    7f808df58000-7f808df5c000 r-xp 00000000 fd:00 2097231                    /lib64/libuuid.so.1.3.0
    7f808df5c000-7f808e15b000 ---p 00004000 fd:00 2097231                    /lib64/libuuid.so.1.3.0
    7f808e15b000-7f808e15c000 rw-p 00003000 fd:00 2097231                    /lib64/libuuid.so.1.3.0
    7f808e15c000-7f808e170000 r-xp 00000000 fd:00 132321                     /usr/lib64/libboost_filesystem.so.5
    7f808e170000-7f808e370000 ---p 00014000 fd:00 132321                     /usr/lib64/libboost_filesystem.so.5
    7f808e370000-7f808e371000 rw-p 00014000 fd:00 132321                     /usr/lib64/libboost_filesystem.so.5
    7f808e371000-7f808e3ba000 r-xp 00000000 fd:00 132258                     /usr/lib64/libboost_program_options.so.5
    7f808e3ba000-7f808e5ba000 ---p 00049000 fd:00 132258                     /usr/lib64/libboost_program_options.so.5
    7f808e5ba000-7f808e5be000 rw-p 00049000 fd:00 132258                     /usr/lib64/libboost_program_options.so.5
    7f808e5be000-7f808e5d8000 r-xp 00000000 fd:00 134249                     /usr/lib64/libqpidtypes.so.1.2.0
    7f808e5d8000-7f808e7d8000 ---p 0001a000 fd:00 134249                     /usr/lib64/libqpidtypes.so.1.2.0
    7f808e7d8000-7f808e7d9000 rw-p 0001a000 fd:00 134249                     /usr/lib64/libqpidtypes.so.1.2.0
    7f808e7d9000-7f808ea56000 r-xp 00000000 fd:00 134838                     /usr/lib64/libqpidcommon.so.6.0.0
    7f808ea56000-7f808ec55000 ---p 0027d000 fd:00 134838                     /usr/lib64/libqpidcommon.so.6.0.0
    7f808ec55000-7f808ec76000 rw-p 0027c000 fd:00 134838                     /usr/lib64/libqpidcommon.so.6.0.0
    7f808ec76000-7f808ec77000 rw-p 00000000 00:00 0
    7f808ec77000-7f808ef3c000 r-xp 00000000 fd:00 134849                     /usr/lib64/libqpidbroker.so.6.0.0
    7f808ef3c000-7f808f13c000 ---p 002c5000 fd:00 134849                     /usr/lib64/libqpidbroker.so.6.0.0
    7f808f13c000-7f808f154000 rw-p 002c5000 fd:00 134849                     /usr/lib64/libqpidbroker.so.6.0.0
    7f808f154000-7f808f158000 rw-p 00000000 00:00 0
    7f808f158000-7f808f178000 r-xp 00000000 fd:00 2097506                    /lib64/ld-2.12.so
    7f808f32e000-7f808f35f000 rw-p 00000000 00:00 0
    7f808f35f000-7f808f36c000 rw-p 00000000 00:00 0
    7f808f376000-7f808f377000 rw-p 00000000 00:00 0
    7f808f377000-7f808f378000 r--p 0001f000 fd:00 2097506                    /lib64/ld-2.12.so
    7f808f378000-7f808f379000 rw-p 00020000 fd:00 2097506                    /lib64/ld-2.12.so
    7f808f379000-7f808f37a000 rw-p 00000000 00:00 0
    7fff71c47000-7fff71c5c000 rw-p 00000000 00:00 0                          [stack]
    7fff71c8b000-7fff71c8c000 r-xp 00000000 00:00 0                          [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
    I haven't found anything about the qpidd user, and I only set this server up about a week ago, so I doubt there's anything running on the server that isn't supposed to run...

    Does anyone have any ideas?
    Any help is very much appreciated...
    Thanks a lot!

    Isaac
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  3. isaacl

    isaacl Member

    Joined:
    Jun 26, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the reply.
    I spoke to the person who set the server up, and he knew nothing about it.
    The only additional things I installed are WHMSonic, CSF, and ClamAV.
    I'm running CentOS 6.2 x64...
    Is there any reason why not to get rid of it at this point?
    Thanks!
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You might want to ask those other providers (WHMSonic and CSF) if they use it. My machine is running CentOS 6.2 on 64-bit, so I cannot see why it is needed for CentOS itself as it isn't running on mine.
     
  5. isaacl

    isaacl Member

    Joined:
    Jun 26, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    It's doesn't seem to be doing anything, as far as I can tell...
    I removed it for now (I think), and I'll see if anything comes up as needing it, but I think it's probably extra.
    Thanks!
     
    #5 isaacl, Jun 26, 2012
    Last edited: Jun 26, 2012
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Check if the rpms exist on the machine:

    Code:
    rpm -qa | grep -i qpid
    If they do, remove them:

    Code:
    rpm -e --nodeps rpmname
    Please replace rpmname with the name of the rpm.

    After that, check if it is listed in chkconfig:

    Code:
    chkconfig --list qpidd
    If you get a return, shut it off:

    Code:
    chkconfig qpidd off
    Then if /usr/sbin/qpidd still exists, move it:

    Code:
    mv /usr/sbin/qpidd /usr/sbin/qpidd.bak
     
  7. isaacl

    isaacl Member

    Joined:
    Jun 26, 2012
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I think I got it all - thanks!
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Sure, glad that helped out. Hopefully, no program actually needed it, although I don't know which one possibly could.
     
Loading...

Share This Page