The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

LFD Mail Notification problem

Discussion in 'E-mail Discussions' started by jestin_virtual, Sep 5, 2009.

  1. jestin_virtual

    jestin_virtual Active Member

    Joined:
    Sep 2, 2009
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hello ,

    i`m receiving below emails from my Root user / LFD firewall ( More than 200 times / day ) ,


    The email has received about different accounts ( who is using many emails )

    one particular ip has been mentioned in all emails which is belong to same Datacenter ( example : 2.2.2.2:53 )

    please let me know what is the problem and how to stop the notification ,
    Thank You



    -----------------------------Mail 1 -----------------------------

    subject : lfd on server.....com: Excessive resource usage: renau (3427)

    Time: Sat Sep 5 19:07:00 2009 +0430
    Account: renau
    Resource: Process Time
    Exceeded: 6429 > 1800 (seconds)

    Executable: /usr/bin/perl
    Command Line: spamd child
    PID: 3427
    Killed: No

    ----------------------Mail 2 ----------------------------

    Subject : lfd on server.........com: Suspicious process running under user renau

    Executable:

    /usr/bin/perl


    Command Line (often faked in exploits):

    spamd child


    Network connections by the process (if any):

    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:54707
    udp: 1.1.1.1:10692 -> 2.2.2.2:53


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /usr/bin/spamd
    /usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
    /home/renault/.spamassassin/bayes_toks
    /home/renault/.spamassassin/bayes_toks
    /home/renault/.spamassassin/bayes_toks
    /tmp/.spamassassin6987U4eJeQtmp


    Memory maps by the process (if any):

    00110000-00113000 r-xp 00000000 fd:00 5898556 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/MIME/Base64/Base64.so
    00113000-00114000 rw-p 00002000 fd:00 5898556 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/MIME/Base64/Base64.so
    00114000-00119000 r-xp 00000000 fd:00 5899320 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
    00119000-0011a000 rw-p 00005000 fd:00 5899320 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Time/HiRes/HiRes.so
    0011a000-00124000 r-xp 00000000 fd:00 6424500 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/HTML/Parser/Parser.so
    00124000-00125000 rw-p 0000a000 fd:00 6424500 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/HTML/Parser/Parser.so
    00125000-00127000 r-xp 00000000 fd:00 6425087 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Net/DNS/DNS.so
    00127000-00128000 rw-p 00001000 fd:00 6425087 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Net/DNS/DNS.so
    00128000-0012c000 r-xp 00000000 fd:00 6424895 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Digest/SHA1/SHA1.so
    0012c000-0012d000 rw-p 00003000 fd:00 6424895 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Digest/SHA1/SHA1.so
    0012d000-00134000 r-xp 00000000 fd:00 6455769 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/NetAddr/IP/Util/Util.so
    00134000-00135000 rw-p 00006000 fd:00 6455769 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/NetAddr/IP/Util/Util.so
    00162000-00171000 r-xp 00000000 fd:00 38666263 /lib/libresolv-2.5.so
    00171000-00172000 r--p 0000e000 fd:00 38666263 /lib/libresolv-2.5.so
    00172000-00173000 rw-p 0000f000 fd:00 38666263 /lib/libresolv-2.5.so
    00173000-00175000 rw-p 00173000 00:00 0
    001a6000-001a8000 r-xp 00000000 fd:00 38666287 /lib/libutil-2.5.so
    001a8000-001a9000 r--p 00001000 fd:00 38666287 /lib/libutil-2.5.so
    001a9000-001aa000 rw-p 00002000 fd:00 38666287 /lib/libutil-2.5.so
    001ad000-001c7000 r-xp 00000000 fd:00 38666292 /lib/ld-2.5.so
    001c7000-001c8000 r--p 00019000 fd:00 38666292 /lib/ld-2.5.so
    001c8000-001c9000 rw-p 0001a000 fd:00 38666292 /lib/ld-2.5.so
    001d0000-0030e000 r-xp 00000000 fd:00 38666296 /lib/libc-2.5.so
    0030e000-00310000 r--p 0013e000 fd:00 38666296 /lib/libc-2.5.so
    00310000-00311000 rw-p 00140000 fd:00 38666296 /lib/libc-2.5.so
    00311000-00314000 rw-p 00311000 00:00 0
    00316000-00318000 r-xp 00000000 fd:00 38667585 /lib/libdl-2.5.so
    00318000-00319000 r--p 00001000 fd:00 38667585 /lib/libdl-2.5.so
    00319000-0031a000 rw-p 00002000 fd:00 38667585 /lib/libdl-2.5.so
    0031c000-0032f000 r-xp 00000000 fd:00 38667569 /lib/libpthread-2.5.so
    0032f000-00330000 r--p 00012000 fd:00 38667569 /lib/libpthread-2.5.so
    00330000-00331000 rw-p 00013000 fd:00 38667569 /lib/libpthread-2.5.so
    00331000-00333000 rw-p 00331000 00:00 0
    00335000-0035a000 r-xp 00000000 fd:00 38667584 /lib/libm-2.5.so
    0035a000-0035b000 r--p 00024000 fd:00 38667584 /lib/libm-2.5.so
    0035b000-0035c000 rw-p 00025000 fd:00 38667584 /lib/libm-2.5.so
    00378000-00381000 r-xp 00000000 fd:00 38666243 /lib/libcrypt-2.5.so
    00381000-00382000 r--p 00008000 fd:00 38666243 /lib/libcrypt-2.5.so
    00382000-00383000 rw-p 00009000 fd:00 38666243 /lib/libcrypt-2.5.so
    00383000-003aa000 rw-p 00383000 00:00 0
    003d5000-003dc000 r-xp 00000000 fd:00 38667594 /lib/librt-2.5.so
    003dc000-003dd000 r--p 00006000 fd:00 38667594 /lib/librt-2.5.so
    003dd000-003de000 rw-p 00007000 fd:00 38667594 /lib/librt-2.5.so
    003e0000-003f3000 r-xp 00000000 fd:00 38667582 /lib/libnsl-2.5.so
    003f3000-003f4000 r--p 00012000 fd:00 38667582 /lib/libnsl-2.5.so
    003f4000-003f5000 rw-p 00013000 fd:00 38667582 /lib/libnsl-2.5.so
    003f5000-003f7000 rw-p 003f5000 00:00 0
    0043b000-00566000 r-xp 00000000 fd:00 5898918 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    00566000-0056b000 rw-p 0012a000 fd:00 5898918 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
    0056b000-0056d000 rw-p 0056b000 00:00 0
    005ed000-005f1000 r-xp 00000000 fd:00 5899318 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so
    005f1000-005f2000 rw-p 00004000 fd:00 5899318 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Syslog/Syslog.so
    00669000-0066e000 r-xp 00000000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    0066e000-0066f000 rw-p 00004000 fd:00 5899288 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    0066f000-00671000 r-xp 00000000 fd:00 5899055 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Cwd/Cwd.so
    00671000-00672000 rw-p 00001000 fd:00 5899055 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Cwd/Cwd.so
    00672000-00766000 r-xp 00000000 fd:00 38666446 /lib/libdb-4.3.so
    00766000-00769000 rw-p 000f3000 fd:00 38666446 /lib/libdb-4.3.so
    007b5000-007b8000 r-xp 00000000 fd:00 5899098 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Fcntl/Fcntl.so
    007b8000-007b9000 rw-p 00002000 fd:00 5899098 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Fcntl/Fcntl.so
    0082a000-00837000 r-xp 00000000 fd:00 5899057 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/DB_File/DB_File.so
    00837000-00838000 rw-p 0000c000 fd:00 5899057 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/DB_File/DB_File.so
    00856000-0085a000 r-xp 00000000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    0085a000-0085b000 rw-p 00003000 fd:00 5899113 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    009c9000-009ca000 r-xp 009c9000 00:00 0 [vdso]
    009fe000-00a07000 r-xp 00000000 fd:00 5898551 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/Util.so
    00a07000-00a08000 rw-p 00008000 fd:00 5898551 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/Util.so
    00a57000-00a5b000 r-xp 00000000 fd:00 6424342 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/BSD/Resource/Resource.so
    00a5b000-00a5c000 rw-p 00003000 fd:00 6424342 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/BSD/Resource/Resource.so
    00ae4000-00aeb000 r-xp 00000000 fd:00 6424335 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/version/vxs/vxs.so
    00aeb000-00aec000 rw-p 00007000 fd:00 6424335 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/version/vxs/vxs.so
    00b17000-00b1c000 r-xp 00000000 fd:00 5899100 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/File/Glob/Glob.so
    00b1c000-00b1d000 rw-p 00004000 fd:00 5899100 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/File/Glob/Glob.so
    00bd4000-00bf0000 r-xp 00000000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    00bf0000-00bf1000 rw-p 0001b000 fd:00 5899126 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.so
    00d08000-00d0a000 r-xp 00000000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    00d0a000-00d0b000 rw-p 00001000 fd:00 5899314 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/Hostname.so
    00da0000-00dbb000 r-xp 00000000 fd:00 11665736 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    00dbb000-00dbc000 rw-p 0001b000 fd:00 11665736 /var/lib/spamassassin/compiled/3.002004/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    00f0b000-00f14000 r-xp 00000000 fd:00 38666279 /lib/libnss_files-2.5.so
    00f14000-00f15000 r--p 00008000 fd:00 38666279 /lib/libnss_files-2.5.so
    00f15000-00f16000 rw-p 00009000 fd:00 38666279 /lib/libnss_files-2.5.so
    08048000-0804b000 r-xp 00000000 fd:00 5807714 /usr/bin/perl
    0804b000-0804c000 rw-p 00002000 fd:00 5807714 /usr/bin/perl
    09499000-0beb4000 rw-p 09499000 00:00 0 [heap]
    b7441000-b75c2000 rw-p b7b37000 00:00 0
    b776b000-b7880000 rw-p b776b000 00:00 0
    b7995000-b7a66000 rw-p b7995000 00:00 0
    b7c09000-b7cd9000 rw-p b7c09000 00:00 0
    b7daa000-b7f2b000 rw-p b7e6f000 00:00 0
    b7f33000-b7f57000 rw-p b7f33000 00:00 0
    b7f60000-b7f61000 rw-p b7f60000 00:00 0
    bfc82000-bfceb000 rw-p bff96000 00:00 0 [stack]
     
    #1 jestin_virtual, Sep 5, 2009
    Last edited: Sep 5, 2009
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    LFD is a little too sensitive by default and very commonly triggers on normal server processes unless excluded from it's "watch list" ...

    In your case, LFD is seeing Spamassassin (a normal process) running on your server which is up almost continuously running since all incoming mail to your server is generally passed through the spamassassin (spamd) server process and the content of messages checked against the spam rules. LFD just gets worried because it sees a process open that is staying open and sending you an alert about it.

    We normally exclude the "spamd" process from being watched by LFD.

    Basically there is nothing to worry about. ;)

    As another side note, 127.0.0.1 is your own server.
     
  3. jestin_virtual

    jestin_virtual Active Member

    Joined:
    Sep 2, 2009
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    6
    Hello ,

    1 ) How to stop the notification , i`m not interest to receive 200 emails per day :)

    2 ) the ip is not 127.0.0.1 , i have changed the ip to 2.2.2.2

    udp: 1.1.1.1:10692 -> 2.2.2.2:53

    1.1.1.1 is my server and 2.2.2.2 is another ip in same Datacenter
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,450
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Both mails 1&2 can be taken care of by reading the manual. Or check this thread: Process Tracking and csf.pignore - ConfigServer Scripts Forum



    Bite yur tongue. We like sensitive. :p
     
Loading...

Share This Page