Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

memcached suspicious process running under user

Discussion in 'General Discussion' started by Mopar1973Man, Mar 18, 2018.

Tags:
  1. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    I've manually added memcached to my cpanel and now I get a ton of email about...

    lfd on server: Suspicious process running under user xxxxxx

    I would like to stop these constant every minute emails. Between PHP and memcached sending email it can fill a 250 MB email account in a mere few days.
     
  2. IndicHosts.net

    IndicHosts.net Active Member

    Joined:
    Mar 11, 2006
    Messages:
    39
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Online
    cPanel Access Level:
    Root Administrator
    I'm guessing this is connected with CSF. Running the following command should do the trick

    echo "user:memcached" | cat >> /etc/csf/csf.pignore && csf -r;
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. httpdocs

    httpdocs Member

    Joined:
    Mar 9, 2018
    Messages:
    7
    Likes Received:
    1
    Trophy Points:
    78
    Location:
    Iran
    cPanel Access Level:
    Root Administrator
    Yes that's right.
    This message is sent by "csf".
    If you do not want to see this message, specify an unnecessary email address.
    Otherwise, the messages can guide you to better manage the server.
     
  4. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    Snippet: This is the most common... PHP-FPM (Mopar1973Man) and the Memcached (Nobody)

    Code:
    Executable:
    
    /opt/cpanel/ea-php72/root/usr/sbin/php-fpm
    
    
    Command Line (often faked in exploits):
    
    php-fpm: pool mopar1973man_com                       
    
    
    Network connections by the process (if any):
    
    tcp: 127.0.0.1:47854 -> 127.0.0.1:11211
    
    
    Files open by the process (if any):
    
    /dev/urandom
    Here is the other email I get but not as common.

    Code:
    Executable:
    
    /usr/bin/memcached
    
    
    Command Line (often faked in exploits):
    
    memcached -d -p 11211 -u nobody -m 256 -c 1024 -P /var/run/memcached/memcached.pid
    
    
    Network connections by the process (if any):
    
    tcp: 0.0.0.0:11211 -> 0.0.0.0:0
    tcp6: 0.0.0.0:11211 -> 0.0.0.0:0
    udp: 0.0.0.0:11211 -> 0.0.0.0:0
    udp6: 0.0.0.0:11211 -> 0.0.0.0:0
    tcp: 127.0.0.1:11211 -> 127.0.0.1:38752
    tcp: 127.0.0.1:11211 -> 127.0.0.1:38714
    tcp: 127.0.0.1:11211 -> 127.0.0.1:38824
    tcp: 127.0.0.1:11211 -> 127.0.0.1:38882
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    [eventpoll]
    [eventpoll]
    [eventpoll]
    [eventpoll]
    [eventpoll]
    
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,367
    Likes Received:
    1,857
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    Again... Someone just chucks out a link like it has the solution but it like going down the rabbit hole without a guide.

    So do I follow this link...
    PHP-FPM Pool using lot of CPU

    Or this link...
    Memory usage apparently higher than expected

    Or this link...
    Email Alerts from CSF

    As for the last link I've attempted this but I'm not sure how to do the syntax correctly. Because it still spitting the mails out 500 a day at me.

    So it would really help if some shows me the answer to this problem and not posting old links to older post this go in more directions making this confusing.

    Code:
    exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Sorry if this is not going to be the magic bullet answer you want, but installing modules and daemons on a server has consequences.

    If you have a server with the CSF/lfd installed, and then install memcached or PHP-FPM (or vice versa) you shouldn't be surprised if the consequence is that CSF/lfd starts sending you emails about a process it knows nothing about. It is up to you to either tell CSF/lfd that the process is OK and to ignore it, or for you to decide that the process is not authorised and to expunge it.

    Similarly, if you decide to use CSF/lfd and as a consequence you start getting excessive resource usage warnings, it is up to you to decide if the warnings are justified, and either configure CSF/lfd to report based on your particular hardware configuration, or to investigate the warnings and configure the systems that are provoking them to use less resources.

    In every event, it is better to research and understand what the consequences of any configuration, action, addition or removal of software on a server might be before crashing in and doing it. Every server administrator on this forum was a beginner once upon a time, and the honest ones will admit to learning something new every day. You can easily avoid making mistakes by reading about the experiences and mistakes that other people made, and not repeating them yourself. :)

    Attributed as a variant of the original by George Santayana
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 rpvw, Mar 22, 2018
    Last edited: Mar 22, 2018
  8. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    That is fine but since I'm a greenhorn to the whole cPanel thing I need more than a link to another post that splits in to many directions. So I would like to know how to properly tell CSF that memcache and PHP-FPM are authorized programs so the emails stop flowing since now my website software requires them.

    Not so much as a resource problem just I've added software (memcached) CSF doesn't recognize. As for the PHP-FPM was part of the package so the only reason I see PHP-FPM giving the warning because of its using memcached as well.

    So now back to getting back to an answer how does a person get CSF (csf.pignore) syntax right so these two programs run without constant warnings?
     
  9. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    First thing to do is to read the instructions at the top of the /etc/csf/csf.pignore file (you can access this from the cPanel CSF interface by selecting it from the Blocking drop-down and clicking on edit)

    So, given that your email has already given you the path
    you would follow the pignore files instructions
    and add
    Code:
    exe:/usr/bin/memcached
    (dont forget to click on the change button after you finish editing and then restart CSF)

    For the PHP-FPM you may need to adjust the configuration parameters in the CSF configuration Process Tracking section, or just add it to the pignore file (which wont then alert you to any run-away PHP process)

    More information is contained in the csf+lfd readme.txt file (Click on the Firewall Information button in the cPanel CSF interface and settle down for a good read.)

    Since this isn't really a cPanel issue (third party provided plugin) you may get additional help from ConfigServer Community Forum - ConfigServer Security & Firewall

    Hope this helps.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 rpvw, Mar 22, 2018
    Last edited: Mar 22, 2018
    cPanelMichael likes this.
  10. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    Explain what I've got to configure and where. Ive never done this before so I've got no idea what I'm supposed to change. There is a bunch of setting and most have warnings of don't use unless you know what you are doing. So what do I need to adjust for the PHP-PFM???
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You know how to get to csf.pignore, correct?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    The settings will depend on your hardware, resource allocation, server load etc etc so no one can guess at what they might need to be.

    It rather looks like you need to contract the services of an experienced cPanel/linux server administrator, and you can find a list of them at System Administration Services | cPanel Forums
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    Yeah rpvw showed me an easy way to get there I didn't even know.

    Sorry, my pockets are not that deep! I can't afford to pay for Administration Services. That why I'm here to figure this stuff out on my own and also learn how to do it myself.
     
  14. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    OK - since I seem to be spending more time with this support than I am with my own customers ! - the easiest way is to just have CSF/lfd ignore the PMP-FPM processes, although you must acknowledge that any process excluded from being tracked; has an implication as far as security is concerned.

    You will have seen from your email example that the executable was reported as
    Code:
    /opt/cpanel/ea-php72/root/usr/sbin/php-fpm

    Now you can add this into the pignore file in the familiar format
    Code:
    exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm
    ...... but that line would only ignore FPM processes from PHP 7.2 (ea-php72)

    Obviously, you could use several lines to add all the php versions eg
    Code:
    exe:/opt/cpanel/ea-php56/root/usr/sbin/php-fpm
    exe:/opt/cpanel/ea-php70/root/usr/sbin/php-fpm
    exe:/opt/cpanel/ea-php71/root/usr/sbin/php-fpm
    exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm
    etc
    ...... but some of us grey-beards consider this to be inelegant and wasteful code.

    Fortunately, CSF/lfd has included the opportunity to use perl regular expression matching (regex) so you can write ONE line to exclude ALL the PHP-FPM processes (irrespective of what PHP versions used) could be
    Code:
    pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
    All of this is clearly documented in the top of the pignore file itself.

    Note: I have NOT tested that particular regex (since I don't use use FPM myself) so use with caution.

    I hope this helps.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #14 rpvw, Mar 24, 2018
    Last edited: Mar 24, 2018
  15. Mopar1973Man

    Mopar1973Man Member

    Joined:
    Mar 9, 2018
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    New Meadows, Idaho
    cPanel Access Level:
    Website Owner
    Here we go down the rabbit hole again.

    Q: Why abandon the adjustments of the PHP? I thought this way the better way of setting up the server?

    I realize that pignore the PHP could be a bad idea because of there is a hack, etc. You'll never know.

    Q: May I ask what is your reason and what are you using instead? I'm asking maybe my setup isn't optimal I'm willing to listen and learn to try and do something better.
     
  16. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    729
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I have never ever talked about adjusting the PHP configuration here, I am only addressing the levels at which the CSF/lfd plugin alerts you as to perceived excess use, and unless you have a full understanding of how the Apache/PHP/MySQL process impacts on your hardware and resource configuration, you will be experimenting in the CSF configuration until you learn and understand the interrelationships.

    I use Cloudlinux/CageFS/Alt-PHP with lsapi as the handler. (Cloudlinux is commercial, it is not free)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice