Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

lfd: Excessive resource usage message

Discussion in 'General Discussion' started by KirkColvin747, Dec 21, 2006.

  1. KirkColvin747

    KirkColvin747 Member

    Joined:
    Mar 17, 2005
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    151
    getting this message once in awhile...

    lfd: Excessive resource usage: buster (19281)

    Time: Tue Dec 19 19:16:06 2006
    Account: buster
    Resource: Process Time
    Exceeded: 1821 > 1800 (seconds)
    Executable: /usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 19281
    Killed: No

    any ideas?

    many thanks
     
  2. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Hiya Kirk,

    I'm getting the same thing on my side:

    At first i believed that this may be caused by the client trying to run something on their shell account. I terminated all processes under their account and disabled their shell. This message keeps on coming up though.

    Time: Sun Sep 9 06:07:30 2007
    Account: corona
    Resource: Process Time
    Exceeded: 1817 > 1800 (seconds)
    Executable: /home/virtfs/corona/usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 17188
    Killed: No

    As far as i can see there is a secure FTP server running under the clients account. Why would this be using excessive resources?

    Marko
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,129
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    New York
    Thats the secure ftp SERVER, which means something is likely uploading or downloading from the persons account. I would look for any logs or try to see if you can find any weird files in the corona account. Not sure how he can tell sftp-server to trigger if he doesnt have ssh, but maybe their is more to this account than you have found so far.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    The user doesn't have SSH at all but i'm still getting these messages as well:

    lfd: SSH login alert for user corona from 196.35.68.144 (isfw.jhb.24-7online.co.za)
    Time: Sun Sep 9 05:37:07 2007
    IP: 196.35.68.144 (isfw.jhb.24-7online.co.za)
    Account: corona
    Method: password authentication
    -- How is this possible if Shell Access is (disabled) ?


    Additionally how could they be running a sftp server process under their account?
    Their directory tree seems to be normal as below:


    total 68
    4 drwx--x--x 10 corona corona 4096 Sep 7 23:08 ./
    8 drwx--x--x 114 root root 4096 Sep 8 22:24 ../
    0 lrwxrwxrwx 1 corona corona 32 Sep 5 08:19 access-logs -> /usr/local/apache/domlogs/corona/
    4 -rw------- 1 corona corona 523 Sep 7 23:58 .bash_history
    4 -rw-r--r-- 1 corona corona 24 Sep 5 08:10 .bash_logout
    4 -rw-r--r-- 1 corona corona 191 Sep 5 08:10 .bash_profile
    4 -rw-r--r-- 1 corona corona 124 Sep 5 08:10 .bashrc
    0 -rw-r--r-- 1 corona corona 0 Sep 6 12:40 .contactemail
    4 drwxr-xr-x 4 corona corona 4096 Sep 7 19:02 .cpanel/
    4 -rw-r--r-- 1 corona corona 16 Sep 7 23:07 .dns
    4 -rw-r--r-- 1 corona corona 383 Sep 5 08:10 .emacs
    4 drwxr-x--- 3 corona mail 4096 Sep 5 19:38 etc/
    4 drwxrwx--- 6 corona mail 4096 Sep 5 19:39 mail/
    4 drwxr-xr-x 3 corona corona 4096 Mar 17 01:14 public_ftp/
    4 drwxr-x--- 3 corona nobody 4096 Sep 7 23:03 public_html/
    4 drwxr-xr-x 2 corona corona 4096 Sep 7 23:09 restore/
    4 drwxr-xr-x 7 corona corona 4096 Sep 7 08:42 tmp/
    4 drwx------ 2 corona corona 4096 Sep 5 20:06 .trash/
    0 lrwxrwxrwx 1 corona corona 11 Sep 5 08:10 www -> public_html/

    Any ideas on what this all means?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Another message

    Here's another extract which brings up other questions:

    Security Violations
    =-=-=-=-=-=-=-=-=-=
    Sep 9 11:11:14 coder sshd[27435]: Accepted password for corona from ::ffff:196.35.68.144 port 1051 ssh2
    Sep 9 11:11:21 coder sshd[27467]: subsystem request for sftp
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    France
    cPanel Access Level:
    Root Administrator
    Since a few months, the default cPanel shell gives the users sftp access even when they don't have full shell (or jailshell) access.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. maysoft

    maysoft Well-Known Member

    Joined:
    Nov 10, 2005
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    156
    LFD WILL report "successful" SSH login into an account even if SSH is not enabled. This is because the way cPanel "disables" SSH. Just try it yourself ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    All in all this is very suspcious as for some reason this just started happening with another users account!

    Time: Sun Sep 9 18:33:49 2007
    Account: keybaud
    Resource: Process Time
    Exceeded: 1848 > 1800 (seconds)
    Executable: /usr/libexec/openssh/sftp-server
    Command Line: /usr/libexec/openssh/sftp-server
    PID: 17987
    Killed: No


    Now another account is saying the same message!!!
    I've terminated the old account and now this is coming up. I heavily suspect some foul play.
    Rkhunter and chkrootkit are not picking up anything.

    Any1 know of any SFTP exploits flying around?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Is there any way to prevent SFTP access to the account. It's highly suspicious that an account which is new would start a sftp server and then when this account was terminated another instance of it would be started.

    Sep 9 15:29:21 coder su(pam_unix)[29215]: session closed for user root
    Sep 9 15:29:24 coder su(pam_unix)[27528]: session closed for user root
    Sep 9 15:56:40 coder sshd(pam_unix)[11052]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=wbs-41-208-216-159.wbs.co.za user=keybaud
    Sep 9 15:56:45 coder sshd(pam_unix)[11070]: session opened for user keybaud by (uid=0)
    Sep 9 16:00:18 coder sshd(pam_unix)[11070]: session closed for user keybaud
    Sep 9 15:14:43 coder sshd[8780]: Failed password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
    Sep 9 15:15:01 coder sshd[8780]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1133 ssh2
    Sep 9 15:15:03 coder sshd[8808]: subsystem request for sftp
    Sep 9 15:17:30 coder sshd[8997]: Did not receive identification string from ::ffff:202.75.200.251
    Sep 9 15:21:48 coder sshd[9186]: Connection closed by ::ffff:202.75.200.251
    Sep 9 15:47:16 coder sshd[10584]: Invalid user corona from ::ffff:196.35.68.144
    Sep 9 15:47:16 coder sshd[10585]: input_userauth_request: invalid user corona
    Sep 9 15:47:20 coder sshd[10585]: Received disconnect from ::ffff:196.35.68.144: 13: Authentication cancelled by user.
    Sep 9 15:56:42 coder sshd[11052]: Failed password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
    Sep 9 15:56:45 coder sshd[11052]: Accepted password for keybaud from ::ffff:41.208.216.159 port 1247 ssh2
    Sep 9 15:56:49 coder sshd[11070]: subsystem request for sftp

    I have personally now called both the users and they have said that they are not running SFTP in any way - This means this process is being started by something else?

    I've also opened up a cpanel ticket as this may be serious.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    120
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    One more reply:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: SSH Communications Security's Secure Shell Server: SFTP
    privilege escalation
    Date: March 14, 2007
    Bugs: #168584
    ID: 200703-13

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Could it be this that is happening? It's quite old though and i'm assuming this would be patched as we run /scripts/upcp weekly

    See link: http://www.gentoo.org/security/en/glsa/glsa-200703-13.xml

    Seems to be gentoo but we are running CentOS ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice