The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd on server Log Scanner Report

Discussion in 'General Discussion' started by scullydion, Nov 7, 2015.

  1. scullydion

    scullydion Member

    Joined:
    Nov 7, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello!

    I'm very new to using VPS and am on a steep learning curve! Everything was running fine until recently when I started getting attacks on my websites and when one went down, they all fell like dominoes. As you can imagine that's where my stress levels rocketed, especially when I don't really have an understanding of reading error logs/reports.

    I have been given some help by a techie friend and made several changes to my wordpress sites to harden them. If any of you can help or guide me to help fix my areas, please be gentle with me!

    The most recent reports which look like they might be bad news are as follows:
    Code:
    /var/log/exim_paniclog:
    2015-11-07 00:03:45 1Zuqym-0003sR-4L malware acl condition: clamd: unable to connect to UNIX socket (/var/clamd): No such file or directory
    
    /var/log/exim_paniclog:
    2015-11-06 22:57:33 1Zupwk-0000XN-0M malware acl condition: clamd: unable to connect to UNIX socket (/var/clamd): No such file or directory
    
    /usr/local/cpanel/logs/error_log:
    [06-Nov-2015 22:00:08 UTC] PHP Warning: array_keys() expects parameter 1 to be array, null given in /usr/local/cpanel/whostmgr/docroot/cgi/srbl/black.php on line 32
    
    
    Code:
    PID: 1964 (Parent PID:1931)
    Account: xxxxx
    Uptime: 85513 seconds
    
    Executable:
    
    /usr/local/cpanel/3rdparty/perl/514/bin/perl
    
    Command Line (often faked in exploits):
    
    spamd child
    
    Network connections by the process (if any):
    
    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:57601
    udp: xxx.xxx.xxx.xxx:35062 -> 8.8.8.8:53
    tcp: xxx.xxx.xxx.xxx:47031 -> 208.83.137.115:2703
    
    
    So am I doomed? Are these bad or fixable?

    And I also often get a lot of Excessive processes notifications:

    Code:
    PID:15959 PPID:14231 Run Time:34(secs) Memory:239952(kb) exe:/usr/bin/php cmd:/usr/bin/php /home/xxx/public_html/index.php
    
    When that e-mail comes through, that is sometimes when the whole server goes down.

    Thank you in advance!

    Help a damsel in distress!

    Clare
     
    #1 scullydion, Nov 7, 2015
    Last edited by a moderator: Nov 7, 2015
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    just guessing but you have some ACL's in your exim.conf that should not be there or are configured incorrectly.

    spamd child you need to whitelist it from csf and add it to the pignore file

    exe:/usr/local/cpanel/3rdparty/perl/514/bin/spamd


    Excessive processes may or may not be an issue but its giving you a clue you in that a certain script is taking a long time to run
    which may be a cause for high load or it may just be a symptom of high load.
     
    scullydion likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can also search our forums for "Wordpress Attack" to see threads where users have discussed solutions for mitigating attacks on their WordPress installations.

    Thank you.
     
    scullydion likes this.
  4. scullydion

    scullydion Member

    Joined:
    Nov 7, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thank you both! I'm searching more info on your suggestions as I type! :)
     
Loading...

Share This Page