The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

rpcbind opened new server ports after cPanel update?

Discussion in 'Bind / DNS / Nameserver Issues' started by net@work, May 23, 2017.

  1. net@work

    net@work Active Member

    Joined:
    Aug 3, 2016
    Messages:
    36
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    I have 2 DNSonly vpses:

    Centos7.3 x86 cPanel 64.0.21 (both vpses)

    Yesterday these vpses had done an update at these packages:

    Package libtirpc.x86_64 0:0.2.4-0.8.el7_3 will be an update
    Package rpcbind.x86_64 0:0.2.0-38.el7 will be updated
    Package rpcbind.x86_64 0:0.2.0-38.el7_3 will be an update

    After this update I have strange messages like:
    -------------------------------------------------
    Executable:

    /usr/sbin/rpcbind


    Command Line (often faked in exploits):

    /sbin/rpcbind -w


    Network connections by the process (if any):

    tcp6: 0.0.0.0:111 -> 0.0.0.0:0
    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:907 -> 0.0.0.0:0
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:907 -> 0.0.0.0:0
    --------------------------------------


    Executable:

    /usr/sbin/rpcbind


    Command Line (often faked in exploits):

    /sbin/rpcbind -w


    Network connections by the process (if any):

    tcp6: 0.0.0.0:111 -> 0.0.0.0:0
    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:834 -> 0.0.0.0:0
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:834 -> 0.0.0.0:0

    ------------------------------------------------


    I noticed that now the server has these ports open:

    111, 834 in one vps
    111, 907 in the second vps!

    I see this documentation about cPanel ports but I can't find those specific ports!!

    Please can explain me if those ports are dangerous or is ok to work?

    Before this update I don't have any kind of such notification before!!

    Please any advice is highly appreciated!
     
  2. Zuriel

    Zuriel Registered

    Joined:
    May 23, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Florida
    cPanel Access Level:
    Root Administrator
    same thing for me.

    Time: Tue May 23 13:56:35 2017 -0400
    PID: 15166 (Parent PID:15166)
    Account: rpc
    Uptime: 21725 seconds


    Executable:

    /usr/sbin/rpcbind


    Command Line (often faked in exploits):

    /sbin/rpcbind -w


    Network connections by the process (if any):

    tcp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:111 -> 0.0.0.0:0
    udp: 0.0.0.0:925 -> 0.0.0.0:0
    udp6: 0.0.0.0:111 -> 0.0.0.0:0
    udp6: 0.0.0.0:925 -> 0.0.0.0:0
    tcp6: 0.0.0.0:111 -> 0.0.0.0:0


    Files open by the process (if any):

    /dev/null
    /dev/null
    /dev/null
    /run/rpcbind.lock


    Memory maps by the process (if any):


    started last night
     
  3. BillyS

    BillyS Active Member

    Joined:
    Mar 22, 2013
    Messages:
    37
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I came here looking to see if anyone else is getting these.. Yeah, Centos / RH just updated those two packages and now I'm getting these CSF message every hour.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The rpcbind package is installed through YUM as part of CentOS 7, and I do see on a test system that it was recently updated:

    Code:
    # grep rpcbind /var/log/yum.log
    May 23 05:41:05 Updated: rpcbind-0.2.0-38.el7_3.x86_64
    There's a recent discussion on this topic at:

    SOLVED - rpcbind got installed.

    Thank you.
     
  5. net@work

    net@work Active Member

    Joined:
    Aug 3, 2016
    Messages:
    36
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Everywhere
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael !

    So we can disable without having any problem to our dnsonly cPanel servers?

    We just do this:

    Code:
    systemctl disable rpcbind
    It's better disable this or remove it?

    I notice that rpcbind requires quota that cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64 requires.

    Code:
    rpm -q --whatrequires rpcbind
    quota-4.01-14.el7.x86_64
    
    rpm -q --whatrequires quota
    quota-devel-4.01-14.el7.x86_64
    cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64
    
    If I disable it I will have malfanction? I don't want to break the system but I don't want to have ports open that I don't need for security purposes!

    I have dnsonly vpses with those ports:

    Code:
    netstat -tulpen
        
    tcp        0      0 0.0.0.0:2095            0.0.0.0:*               LISTEN      0          11850859   21337/cpsrvd (SSL) 
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          11645463   1/systemd           
    tcp        0      0 0.0.0.0:2096            0.0.0.0:*               LISTEN      0          11850862   21337/cpsrvd (SSL) 
    tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN      0          11442227   12466/exim                 
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      25         6101461    17991/named         
    tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          11442223   12466/exim         
    tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      25         6101466    17991/named         
    tcp        0      0 0.0.0.0:2082            0.0.0.0:*               LISTEN      0          11850857   21337/cpsrvd (SSL) 
    tcp        0      0 127.0.0.1:579           0.0.0.0:*               LISTEN      0          11850300   21381/cPhulkd - pro
    tcp        0      0 0.0.0.0:2083            0.0.0.0:*               LISTEN      0          11850860   21337/cpsrvd (SSL) 
    tcp        0      0 0.0.0.0:2086            0.0.0.0:*               LISTEN      0          11850858   21337/cpsrvd (SSL) 
    tcp        0      0 0.0.0.0:2087            0.0.0.0:*               LISTEN      0          11850861   21337/cpsrvd (SSL) 
    tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          11442225   12466/exim                   
    tcp6       0      0 :::111                  :::*                    LISTEN      0          11645462   1/systemd           
    tcp6       0      0 :::465                  :::*                    LISTEN      0          11442226   12466/exim         
    tcp6       0      0 :::25                   :::*                    LISTEN      0          11442222   12466/exim         
    tcp6       0      0 :::3306                 :::*                    LISTEN      993        16400      891/mysqld         
    tcp6       0      0 :::587                  :::*                    LISTEN      0          11442224   12466/exim         
    udp        0      0 127.0.0.1:323           0.0.0.0:*                           996        15373      627/chronyd         
    udp        0      0 0.0.0.0:907             0.0.0.0:*                           0          11646081   30836/rpcbind             
    udp        0      0 127.0.0.1:53            0.0.0.0:*                           25         6101460    17991/named         
    udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          11646080   30836/rpcbind       
    udp6       0      0 ::1:323                 :::*                                996        15374      627/chronyd         
    udp6       0      0 :::907                  :::*                                0          11646083   30836/rpcbind       
    udp6       0      0 :::111                  :::*                                0          11646082   30836/rpcbind 
    Thank you!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You can disable the service with the following commands on CentOS 7:

    Code:
    systemctl disable rpcbind.service
    service rpcbind stop
    I don't recommend removing the RPM itself, as it has several dependencies with packages such as quota and dovecot.

    Thank you.
     
    John W likes this.
Loading...

Share This Page