Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd reporting excessive resource usage / suspicious process "spamd child"

Discussion in 'Security' started by dcusimano, May 16, 2018.

  1. dcusimano

    dcusimano Member

    Joined:
    Feb 24, 2008
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    53
    Location:
    Toronto, Ontario, Canada
    It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long.

    I see a pair of notification emails every now and then:

    lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162))
    lfd on SERVERNAME: Suspicious process running under user USERNAME


    Excerpt from the "Excessive resource usage" email:

    Time: Wed May 16 07:01:43 2018 -0700
    Account: USERNAME
    Resource: Process Time
    Exceeded: 22283 > 1800 (seconds)
    Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl
    Command Line: spamd child
    PID: 15690 (Parent PID:14162)
    Killed: No


    The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not.

    Is this an issue with spamd or lfd?
    How do I fix it?

    Thanks.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    632
    Likes Received:
    201
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Try adding the following process regex matches to the/etc/csf/csf.pignore file:
    Code:
    



pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
    If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code
    Code:
    pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
     
    dcusimano likes this.
  3. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    968
    Likes Received:
    68
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this.


    Thanks!
     
    dcusimano likes this.
Loading...

Share This Page