lfd reporting excessive resource usage / suspicious process "spamd child"

[dcusimano]

It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long.

I see a pair of notification emails every now and then:

lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162))
lfd on SERVERNAME: Suspicious process running under user USERNAME

Excerpt from the "Excessive resource usage" email:

Time: Wed May 16 07:01:43 2018 -0700
Account: USERNAME
Resource: Process Time
Exceeded: 22283 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl
Command Line: spamd child
PID: 15690 (Parent PID:14162)
Killed: No

The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not.

Is this an issue with spamd or lfd?
How do I fix it?

Thanks.

 

[rpvw]

Try adding the following process regex matches to the/etc/csf/csf.pignore file:





pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd

If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl

 

[cPanelLauren]

@dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this.


Thanks!

 

[Sanjay Narayan]

Hi @cPanelLauren
By adding the line in above file, CSF will ignore spamd process. But RPC also keep running for longer time and sometimes spamd in my case. What could be the reason for excessive resource usage by RPC and spamd?

 

[cPanelLauren]

Hi @Sanjay Narayan


I believe the confusion is with the alert itself, this isn't an excessive resource usage alert it's a process time alert indicating that the process has run longer than the threshold LFD has set, for these processes it is normal for them to be running like this.

 

[Gino Viroli]

Try adding the following process regex matches to the/etc/csf/csf.pignore file:

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd

If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl

FYI: we added only:

exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd

to /etc/csf/csf.pignore file

It seems to work fine.

 

[rpvw]

FYI: we added only:

exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd

to /etc/csf/csf.pignore file

It seems to work fine.

That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process !

For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.

 

[Gino Viroli]

That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process !

For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.

Sorry, didn't mean to pick on your answer.

I'm still learning.

Thanks

P.S. for improved secuirity maybe this one could be even better:

pexe:^/usr/local/cpanel/3rdparty/perl/.*/bin/spamd$

 

[mlweber]

I am having the same problem with numerous spamd child Suspicious process and Excessive resource usage LFD notifications. I have tried adding the coding below to the csf.pignore file, but am still getting the notifications.

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd

I also tried it with the actual Perl version (530) instead of .*, which did not stop the notifications either, and the line below already existed in the csf.pignore file, but was not blocking the notifications:

exe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl

I have also tried using both pexe/: and exe:/

I am getting these notifications for various domains on the server several times per hour and would appreciate any help in putting an end to them.

 

[cPanelLauren]

What is the specific notification you're receiving for this @mlweber? The lines included in the mail notification are really helpful.

 

[mlweber]

Thank you for the quick reply!

I'm getting 2 emails every time. I'm pasting in the content from the 2 that I just received:

Excessive resource usage email notification:
Time: Fri Feb 28 12:31:43 2020 -0600
Account: vector
Resource: Process Time
Exceeded: 19731 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl
Command Line: spamd child
PID: 7916 (Parent PID:6712)
Killed: No


Suspicious process email notification:
Time: Fri Feb 28 12:31:43 2020 -0600
PID: 7916 (Parent PID:6712)
Account: vector
Uptime: 19731 seconds
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 127.0.0.1:49706
Files open by the process (if any):
/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/530/bin/spamd
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

Memory maps by the process (if any):

Then there is a process list shown below that I didn't think was needed or relevant, but will happily provide if you want it.

 

[cPanelLauren]

What you need to exclude if you're going to exclude by EXE is the actual executable which is /usr/local/cpanel/3rdparty/perl/530/bin/perl in both cases.

They give you three options of items to ignore:

# exe:/full/path/to/file
# user:username
# cmd:command line

Then they give you the same three lines in the notifications:

Account: vector ###This is the user
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl  ###The Executable
Command Line (often faked in exploits): spamd child ###The Command Line

You're attempting to block:

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd

Which would just block /usr/local/cpanel/3rdparty/perl/.*/bin/spamd specifically, not /usr/local/cpanel/3rdparty/perl/530/bin/perl

If you're concern is to match spamd you should ignore it this way:

pcmd:spamd child

I wrote a resource not that long ago on how to do this: Tutorial - CSF/LFD - Excessive Resource Usage - Process Time

If you want to ignore perl in general which I would hesitate to do you can use:

For the perl regular experession:

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl

For the basic line:

exe:/usr/local/cpanel/3rdparty/perl/530/bin/perl

 

[mlweber]

I followed the advice given by @rpvw on May 16, 2018 and which you cited as being exactly what should have been done, which did not work for me. I have now also added the pcmd:spamd child to the csf.pignore file and will see if that works and if so will post again to indicate that it did.

I did have pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl in the csf.pignore file and that did not stop the notifications, nor did pexe:/usr/local/cpanel/3rdparty/perl/530/bin/perl


What's a little odd is that I was not receiving these notification before cPanel updated to version 86.0.4 earlier this morning, and now I'm getting numerous notifications every hour.

 

[mlweber]

Okay, so that did not work either. I have tried everything I could find to stop these notifications and nothing has worked. I am attaching a screenshot of what I have in the csf.pignore file as well as my Outlook inbox showing that these notifications are still coming in.

 

[cPanelLauren]

Based on the screenshot you're receiving several different types of notifications. Are they all for the same exe and cmd entries? The p should only be placed in front of the exe or cmd entry in the event you're using the perl regex format. As you're not you can remove that.

The formatting instructions are clearly listed in the pignore file:

# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

Are you restarting CSF after adding the additions? If you re-add your ignores and restart CSF after you've added them and you're confident the notifications are all for the same processes, I'd advise you to contact CSF for further assistance.

 

[mlweber]

Thank you for the response. I had been restarting CSF after making and/or changing the ignores, but forgot to do so after adding pcmd:spamd child.

I restarted CSF and Apache and have not received any further notifications since. Thank you for your help!