lfd reporting excessive resource usage / suspicious process "spamd child"

dcusimano

Member
Feb 24, 2008
23
8
53
Toronto, Ontario, Canada
It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long.

I see a pair of notification emails every now and then:

lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162))
lfd on SERVERNAME: Suspicious process running under user USERNAME


Excerpt from the "Excessive resource usage" email:

Time: Wed May 16 07:01:43 2018 -0700
Account: USERNAME
Resource: Process Time
Exceeded: 22283 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl
Command Line: spamd child
PID: 15690 (Parent PID:14162)
Killed: No


The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not.

Is this an issue with spamd or lfd?
How do I fix it?

Thanks.
 
  • Like
Reactions: Gino Viroli

rpvw

Well-Known Member
Jul 18, 2013
1,100
477
113
UK
cPanel Access Level
Root Administrator
Try adding the following process regex matches to the/etc/csf/csf.pignore file:
Code:




pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code
Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
@dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this.


Thanks!
 
  • Like
Reactions: dcusimano

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Hi @Sanjay Narayan


I believe the confusion is with the alert itself, this isn't an excessive resource usage alert it's a process time alert indicating that the process has run longer than the threshold LFD has set, for these processes it is normal for them to be running like this.
 

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
Try adding the following process regex matches to the/etc/csf/csf.pignore file:
Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code
Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
FYI: we added only:

Code:
exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd
to /etc/csf/csf.pignore file

It seems to work fine.
 

rpvw

Well-Known Member
Jul 18, 2013
1,100
477
113
UK
cPanel Access Level
Root Administrator
FYI: we added only:

Code:
exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd
to /etc/csf/csf.pignore file

It seems to work fine.
That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process !

For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.
 
Last edited:

Gino Viroli

Well-Known Member
Oct 2, 2007
97
10
58
cPanel Access Level
Root Administrator
That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process !

For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.
Sorry, didn't mean to pick on your answer. :(

I'm still learning. :-p

Thanks ;)

P.S. for improved secuirity maybe this one could be even better:
Code:
pexe:^/usr/local/cpanel/3rdparty/perl/.*/bin/spamd$
 
Last edited:

mlweber

Member
Jul 16, 2007
6
1
53
I am having the same problem with numerous spamd child Suspicious process and Excessive resource usage LFD notifications. I have tried adding the coding below to the csf.pignore file, but am still getting the notifications.

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd

I also tried it with the actual Perl version (530) instead of .*, which did not stop the notifications either, and the line below already existed in the csf.pignore file, but was not blocking the notifications:

exe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl

I have also tried using both pexe/: and exe:/

I am getting these notifications for various domains on the server several times per hour and would appreciate any help in putting an end to them.
 

mlweber

Member
Jul 16, 2007
6
1
53
Thank you for the quick reply!

I'm getting 2 emails every time. I'm pasting in the content from the 2 that I just received:

Excessive resource usage email notification:
Time: Fri Feb 28 12:31:43 2020 -0600
Account: vector
Resource: Process Time
Exceeded: 19731 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl
Command Line: spamd child
PID: 7916 (Parent PID:6712)
Killed: No


Suspicious process email notification:
Time: Fri Feb 28 12:31:43 2020 -0600
PID: 7916 (Parent PID:6712)
Account: vector
Uptime: 19731 seconds
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 127.0.0.1:49706
Files open by the process (if any):
/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/530/bin/spamd
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

Memory maps by the process (if any):

Then there is a process list shown below that I didn't think was needed or relevant, but will happily provide if you want it.
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
What you need to exclude if you're going to exclude by EXE is the actual executable which is /usr/local/cpanel/3rdparty/perl/530/bin/perl in both cases.

They give you three options of items to ignore:
Code:
# exe:/full/path/to/file
# user:username
# cmd:command line
Then they give you the same three lines in the notifications:

Code:
Account: vector ###This is the user
Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl  ###The Executable
Command Line (often faked in exploits): spamd child ###The Command Line

You're attempting to block:

Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
Which would just block /usr/local/cpanel/3rdparty/perl/.*/bin/spamd specifically, not /usr/local/cpanel/3rdparty/perl/530/bin/perl

If you're concern is to match spamd you should ignore it this way:
Code:
pcmd:spamd child
I wrote a resource not that long ago on how to do this: Tutorial - CSF/LFD - Excessive Resource Usage - Process Time

If you want to ignore perl in general which I would hesitate to do you can use:

For the perl regular experession:
Code:
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
For the basic line:

Code:
exe:/usr/local/cpanel/3rdparty/perl/530/bin/perl
 

mlweber

Member
Jul 16, 2007
6
1
53
I followed the advice given by @rpvw on May 16, 2018 and which you cited as being exactly what should have been done, which did not work for me. I have now also added the pcmd:spamd child to the csf.pignore file and will see if that works and if so will post again to indicate that it did.

I did have pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl in the csf.pignore file and that did not stop the notifications, nor did pexe:/usr/local/cpanel/3rdparty/perl/530/bin/perl


What's a little odd is that I was not receiving these notification before cPanel updated to version 86.0.4 earlier this morning, and now I'm getting numerous notifications every hour.
 

mlweber

Member
Jul 16, 2007
6
1
53
Okay, so that did not work either. I have tried everything I could find to stop these notifications and nothing has worked. I am attaching a screenshot of what I have in the csf.pignore file as well as my Outlook inbox showing that these notifications are still coming in.

csf.pignore.png
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Based on the screenshot you're receiving several different types of notifications. Are they all for the same exe and cmd entries? The p should only be placed in front of the exe or cmd entry in the event you're using the perl regex format. As you're not you can remove that.

The formatting instructions are clearly listed in the pignore file:

Code:
# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#
# Or, perl regular expression matching (regex):
#
# pexe:/full/path/to/file as a perl regex[*]
# puser:username as a perl regex[*]
# pcmd:command line as a perl regex[*]
#
# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi
# puser:bob\d.*
# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
Are you restarting CSF after adding the additions? If you re-add your ignores and restart CSF after you've added them and you're confident the notifications are all for the same processes, I'd advise you to contact CSF for further assistance.
 

mlweber

Member
Jul 16, 2007
6
1
53
Thank you for the response. I had been restarting CSF after making and/or changing the ignores, but forgot to do so after adding pcmd:spamd child.

I restarted CSF and Apache and have not received any further notifications since. Thank you for your help!
 
  • Like
Reactions: cPanelLauren