lfd on server Log Scanner Report

scullydion

Member
Nov 7, 2015
8
0
1
UK
cPanel Access Level
Root Administrator
Hello!

I'm very new to using VPS and am on a steep learning curve! Everything was running fine until recently when I started getting attacks on my websites and when one went down, they all fell like dominoes. As you can imagine that's where my stress levels rocketed, especially when I don't really have an understanding of reading error logs/reports.

I have been given some help by a techie friend and made several changes to my wordpress sites to harden them. If any of you can help or guide me to help fix my areas, please be gentle with me!

The most recent reports which look like they might be bad news are as follows:
Code:
/var/log/exim_paniclog:
2015-11-07 00:03:45 1Zuqym-0003sR-4L malware acl condition: clamd: unable to connect to UNIX socket (/var/clamd): No such file or directory

/var/log/exim_paniclog:
2015-11-06 22:57:33 1Zupwk-0000XN-0M malware acl condition: clamd: unable to connect to UNIX socket (/var/clamd): No such file or directory

/usr/local/cpanel/logs/error_log:
[06-Nov-2015 22:00:08 UTC] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/cpanel/whostmgr/docroot/cgi/srbl/black.php on line 32
Code:
PID: 1964 (Parent PID:1931)
Account: xxxxx
Uptime: 85513 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):

spamd child

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:57601
udp: xxx.xxx.xxx.xxx:35062 -> 8.8.8.8:53
tcp: xxx.xxx.xxx.xxx:47031 -> 208.83.137.115:2703
So am I doomed? Are these bad or fixable?

And I also often get a lot of Excessive processes notifications:

Code:
PID:15959 PPID:14231 Run Time:34(secs) Memory:239952(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/xxx/public_html/index.php
When that e-mail comes through, that is sometimes when the whole server goes down.

Thank you in advance!

Help a damsel in distress!

Clare
 
Last edited by a moderator:

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
157
368
SLC
cPanel Access Level
DataCenter Provider
just guessing but you have some ACL's in your exim.conf that should not be there or are configured incorrectly.

spamd child you need to whitelist it from csf and add it to the pignore file

exe:/usr/local/cpanel/3rdparty/perl/514/bin/spamd


Excessive processes may or may not be an issue but its giving you a clue you in that a certain script is taking a long time to run
which may be a cause for high load or it may just be a symptom of high load.
 
  • Like
Reactions: scullydion

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello :)

You can also search our forums for "Wordpress Attack" to see threads where users have discussed solutions for mitigating attacks on their WordPress installations.

Thank you.
 
  • Like
Reactions: scullydion