The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd: Excessive resource usage message

Discussion in 'General Discussion' started by KirkColvin747, Dec 21, 2006.

  1. KirkColvin747

    KirkColvin747 Member

    Joined:
    Mar 17, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    getting this message once in awhile...

    lfd: Excessive resource usage: buster (19281)

    Time: Tue Dec 19 19:16:06 2006
    Account: buster
    Resource: Process Time
    Exceeded: 1821 > 1800 (seconds)
    Executable: /usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 19281
    Killed: No

    any ideas?

    many thanks
     
  2. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Hiya Kirk,

    I'm getting the same thing on my side:

    At first i believed that this may be caused by the client trying to run something on their shell account. I terminated all processes under their account and disabled their shell. This message keeps on coming up though.

    Time: Sun Sep 9 06:07:30 2007
    Account: corona
    Resource: Process Time
    Exceeded: 1817 > 1800 (seconds)
    Executable: /home/virtfs/corona/usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 17188
    Killed: No

    As far as i can see there is a secure FTP server running under the clients account. Why would this be using excessive resources?

    Marko
     
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Thats the secure ftp SERVER, which means something is likely uploading or downloading from the persons account. I would look for any logs or try to see if you can find any weird files in the corona account. Not sure how he can tell sftp-server to trigger if he doesnt have ssh, but maybe their is more to this account than you have found so far.
     
  4. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    The user doesn't have SSH at all but i'm still getting these messages as well:

    lfd: SSH login alert for user corona from 196.35.68.144 (isfw.jhb.24-7online.co.za)
    Time: Sun Sep 9 05:37:07 2007
    IP: 196.35.68.144 (isfw.jhb.24-7online.co.za)
    Account: corona
    Method: password authentication
    -- How is this possible if Shell Access is (disabled) ?


    Additionally how could they be running a sftp server process under their account?
    Their directory tree seems to be normal as below:


    total 68
    4 drwx--x--x 10 corona corona 4096 Sep 7 23:08 ./
    8 drwx--x--x 114 root root 4096 Sep 8 22:24 ../
    0 lrwxrwxrwx 1 corona corona 32 Sep 5 08:19 access-logs -> /usr/local/apache/domlogs/corona/
    4 -rw------- 1 corona corona 523 Sep 7 23:58 .bash_history
    4 -rw-r--r-- 1 corona corona 24 Sep 5 08:10 .bash_logout
    4 -rw-r--r-- 1 corona corona 191 Sep 5 08:10 .bash_profile
    4 -rw-r--r-- 1 corona corona 124 Sep 5 08:10 .bashrc
    0 -rw-r--r-- 1 corona corona 0 Sep 6 12:40 .contactemail
    4 drwxr-xr-x 4 corona corona 4096 Sep 7 19:02 .cpanel/
    4 -rw-r--r-- 1 corona corona 16 Sep 7 23:07 .dns
    4 -rw-r--r-- 1 corona corona 383 Sep 5 08:10 .emacs
    4 drwxr-x--- 3 corona mail 4096 Sep 5 19:38 etc/
    4 drwxrwx--- 6 corona mail 4096 Sep 5 19:39 mail/
    4 drwxr-xr-x 3 corona corona 4096 Mar 17 01:14 public_ftp/
    4 drwxr-x--- 3 corona nobody 4096 Sep 7 23:03 public_html/
    4 drwxr-xr-x 2 corona corona 4096 Sep 7 23:09 restore/
    4 drwxr-xr-x 7 corona corona 4096 Sep 7 08:42 tmp/
    4 drwx------ 2 corona corona 4096 Sep 5 20:06 .trash/
    0 lrwxrwxrwx 1 corona corona 11 Sep 5 08:10 www -> public_html/

    Any ideas on what this all means?
     
  5. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Another message

    Here's another extract which brings up other questions:

    Security Violations
    =-=-=-=-=-=-=-=-=-=
    Sep 9 11:11:14 coder sshd[27435]: Accepted password for corona from ::ffff:196.35.68.144 port 1051 ssh2
    Sep 9 11:11:21 coder sshd[27467]: subsystem request for sftp
     
  6. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Since a few months, the default cPanel shell gives the users sftp access even when they don't have full shell (or jailshell) access.
     
  7. maysoft

    maysoft Well-Known Member

    Joined:
    Nov 10, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    LFD WILL report "successful" SSH login into an account even if SSH is not enabled. This is because the way cPanel "disables" SSH. Just try it yourself ;)
     
  8. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    All in all this is very suspcious as for some reason this just started happening with another users account!

    Time: Sun Sep 9 18:33:49 2007
    Account: keybaud
    Resource: Process Time
    Exceeded: 1848 > 1800 (seconds)
    Executable: /usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 17987
    Killed: No


    Now another account is saying the same message!!!
    I've terminated the old account and now this is coming up. I heavily suspect some foul play.
    Rkhunter and chkrootkit are not picking up anything.

    Any1 know of any SFTP exploits flying around?
     
  9. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Is there any way to prevent SFTP access to the account. It's highly suspicious that an account which is new would start a sftp server and then when this account was terminated another instance of it would be started.

    Sep 9 15:29:21 coder su(pam_unix)[29215]: session closed for user root
    Sep 9 15:29:24 coder su(pam_unix)[27528]: session closed for user root
    Sep 9 15:56:40 coder sshd(pam_unix)[11052]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wbs-41-208-216-159.wbs.co.za user=keybaud
    Sep 9 15:56:45 coder sshd(pam_unix)[11070]: session opened for user keybaud by (uid=0)
    Sep 9 16:00:18 coder sshd(pam_unix)[11070]: session closed for user keybaud
    Sep 9 15:14:43 coder sshd[8780]: Failed password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
    Sep 9 15:15:01 coder sshd[8780]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
    Sep 9 15:15:03 coder sshd[8808]: subsystem request for sftp
    Sep 9 15:17:30 coder sshd[8997]: Did not receive identification string from ::ffff:202.75.200.251
    Sep 9 15:21:48 coder sshd[9186]: Connection closed by ::ffff:202.75.200.251
    Sep 9 15:47:16 coder sshd[10584]: Invalid user corona from ::ffff:196.35.68.144
    Sep 9 15:47:16 coder sshd[10585]: input_userauth_request: invalid user corona
    Sep 9 15:47:20 coder sshd[10585]: Received disconnect from ::ffff:196.35.68.144: 13: Authentication cancelled by user.
    Sep 9 15:56:42 coder sshd[11052]: Failed password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
    Sep 9 15:56:45 coder sshd[11052]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
    Sep 9 15:56:49 coder sshd[11070]: subsystem request for sftp

    I have personally now called both the users and they have said that they are not running SFTP in any way - This means this process is being started by something else?

    I've also opened up a cpanel ticket as this may be serious.
     
  10. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    One more reply:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: SSH Communications Security's Secure Shell Server: SFTP
    privilege escalation
    Date: March 14, 2007
    Bugs: #168584
    ID: 200703-13

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Could it be this that is happening? It's quite old though and i'm assuming this would be patched as we run /scripts/upcp weekly

    See link: http://www.gentoo.org/security/en/glsa/glsa-200703-13.xml

    Seems to be gentoo but we are running CentOS ?
     
Loading...

Share This Page