rpcbind opened new server ports after cPanel update?

[email protected]

Well-Known Member
Aug 3, 2016
54
5
8
Everywhere
cPanel Access Level
Root Administrator
I have 2 DNSonly vpses:

Centos7.3 x86 cPanel 64.0.21 (both vpses)

Yesterday these vpses had done an update at these packages:

Package libtirpc.x86_64 0:0.2.4-0.8.el7_3 will be an update
Package rpcbind.x86_64 0:0.2.0-38.el7 will be updated
Package rpcbind.x86_64 0:0.2.0-38.el7_3 will be an update

After this update I have strange messages like:
-------------------------------------------------
Executable:

/usr/sbin/rpcbind


Command Line (often faked in exploits):

/sbin/rpcbind -w


Network connections by the process (if any):

tcp6: 0.0.0.0:111 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:907 -> 0.0.0.0:0
udp6: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:907 -> 0.0.0.0:0
--------------------------------------


Executable:

/usr/sbin/rpcbind


Command Line (often faked in exploits):

/sbin/rpcbind -w


Network connections by the process (if any):

tcp6: 0.0.0.0:111 -> 0.0.0.0:0
tcp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:834 -> 0.0.0.0:0
udp6: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:834 -> 0.0.0.0:0

------------------------------------------------


I noticed that now the server has these ports open:

111, 834 in one vps
111, 907 in the second vps!

I see this documentation about cPanel ports but I can't find those specific ports!!

Please can explain me if those ports are dangerous or is ok to work?

Before this update I don't have any kind of such notification before!!

Please any advice is highly appreciated!
 

Zuriel

Registered
May 23, 2017
2
0
1
Florida
cPanel Access Level
Root Administrator
same thing for me.

Time: Tue May 23 13:56:35 2017 -0400
PID: 15166 (Parent PID:15166)
Account: rpc
Uptime: 21725 seconds


Executable:

/usr/sbin/rpcbind


Command Line (often faked in exploits):

/sbin/rpcbind -w


Network connections by the process (if any):

tcp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:111 -> 0.0.0.0:0
udp: 0.0.0.0:925 -> 0.0.0.0:0
udp6: 0.0.0.0:111 -> 0.0.0.0:0
udp6: 0.0.0.0:925 -> 0.0.0.0:0
tcp6: 0.0.0.0:111 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/run/rpcbind.lock


Memory maps by the process (if any):


started last night
 

BillyS

Well-Known Member
Mar 22, 2013
62
4
58
cPanel Access Level
Root Administrator
I came here looking to see if anyone else is getting these.. Yeah, Centos / RH just updated those two packages and now I'm getting these CSF message every hour.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

The rpcbind package is installed through YUM as part of CentOS 7, and I do see on a test system that it was recently updated:

Code:
# grep rpcbind /var/log/yum.log
May 23 05:41:05 Updated: rpcbind-0.2.0-38.el7_3.x86_64
There's a recent discussion on this topic at:

SOLVED - rpcbind got installed.

Thank you.
 

[email protected]

Well-Known Member
Aug 3, 2016
54
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello,

The rpcbind package is installed through YUM as part of CentOS 7, and I do see on a test system that it was recently updated:

Code:
# grep rpcbind /var/log/yum.log
May 23 05:41:05 Updated: rpcbind-0.2.0-38.el7_3.x86_64
There's a recent discussion on this topic at:

SOLVED - rpcbind got installed.

Thank you.
Hello @cPanelMichael !

So we can disable without having any problem to our dnsonly cPanel servers?

We just do this:

Code:
systemctl disable rpcbind
It's better disable this or remove it?

I notice that rpcbind requires quota that cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64 requires.

Code:
rpm -q --whatrequires rpcbind
quota-4.01-14.el7.x86_64

rpm -q --whatrequires quota
quota-devel-4.01-14.el7.x86_64
cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64
If I disable it I will have malfanction? I don't want to break the system but I don't want to have ports open that I don't need for security purposes!

I have dnsonly vpses with those ports:

Code:
netstat -tulpen
    
tcp        0      0 0.0.0.0:2095            0.0.0.0:*               LISTEN      0          11850859   21337/cpsrvd (SSL) 
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          11645463   1/systemd           
tcp        0      0 0.0.0.0:2096            0.0.0.0:*               LISTEN      0          11850862   21337/cpsrvd (SSL) 
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      0          11442227   12466/exim                 
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      25         6101461    17991/named         
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          11442223   12466/exim         
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      25         6101466    17991/named         
tcp        0      0 0.0.0.0:2082            0.0.0.0:*               LISTEN      0          11850857   21337/cpsrvd (SSL) 
tcp        0      0 127.0.0.1:579           0.0.0.0:*               LISTEN      0          11850300   21381/cPhulkd - pro
tcp        0      0 0.0.0.0:2083            0.0.0.0:*               LISTEN      0          11850860   21337/cpsrvd (SSL) 
tcp        0      0 0.0.0.0:2086            0.0.0.0:*               LISTEN      0          11850858   21337/cpsrvd (SSL) 
tcp        0      0 0.0.0.0:2087            0.0.0.0:*               LISTEN      0          11850861   21337/cpsrvd (SSL) 
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          11442225   12466/exim                   
tcp6       0      0 :::111                  :::*                    LISTEN      0          11645462   1/systemd           
tcp6       0      0 :::465                  :::*                    LISTEN      0          11442226   12466/exim         
tcp6       0      0 :::25                   :::*                    LISTEN      0          11442222   12466/exim         
tcp6       0      0 :::3306                 :::*                    LISTEN      993        16400      891/mysqld         
tcp6       0      0 :::587                  :::*                    LISTEN      0          11442224   12466/exim         
udp        0      0 127.0.0.1:323           0.0.0.0:*                           996        15373      627/chronyd         
udp        0      0 0.0.0.0:907             0.0.0.0:*                           0          11646081   30836/rpcbind             
udp        0      0 127.0.0.1:53            0.0.0.0:*                           25         6101460    17991/named         
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          11646080   30836/rpcbind       
udp6       0      0 ::1:323                 :::*                                996        15374      627/chronyd         
udp6       0      0 :::907                  :::*                                0          11646083   30836/rpcbind       
udp6       0      0 :::111                  :::*                                0          11646082   30836/rpcbind
Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

You can disable the service with the following commands on CentOS 7:

Code:
systemctl disable rpcbind.service
service rpcbind stop
I don't recommend removing the RPM itself, as it has several dependencies with packages such as quota and dovecot.

Thank you.
 
  • Like
Reactions: John W
Thread starter Similar threads Forum Replies Date
U Domain Management 1
S Domain Management 15