The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some logfile error questions...

Discussion in 'General Discussion' started by ryan.overton, Mar 16, 2006.

  1. ryan.overton

    ryan.overton Active Member

    Joined:
    Mar 3, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    can you guys help me out with some of these errors I am getting, and what they could mean?

    Code:
    Zone update refused:
    
       216.198.74.254 (xxx.net/IN): 1 Time(s)
    
       216.61.180.249 (xxx.com/IN): 33 Time(s)
    
       66.15.114.210 (rxxx.com/IN): 48 Time(s)
    
       67.10.18.39 (rxxx.com/IN): 26 Time(s)
    
       68.76.41.198 (xxx.org/IN): 476 Time(s)
    

    and another...

    Code:
    2006-03-16 07:49:14 socket bind() to port 2525 for address (any IPv4) failed: Address already in use: waiting 30s before trying again (2 more tries)

    and another


    Code:
    root@thunder: pts/1: 46 files 24Mb -> tail -f /var/log/exim_paniclog
    2006-03-15 16:07:03 1FJdWK-0004Xo-OU failed to expand condition "${perl{checkspam}}" for literal router: Domain xxx.net has exceeded the max emails per hour. Message discarded.


    thanks..
     
  2. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
  3. xidica

    xidica Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Texas
    Regarding this error :

    2006-03-16 07:49:14 socket bind() to port 2525 for address (any IPv4) failed: Address already in use: waiting 30s before trying again (2 more tries)

    I'd recommend that you check what program/service/script trying to bind itself to port 2525. I'd also suggest you run tools like rkhunter and chkrootkit (although they can give false positives, and aren't 100% foolproof), to see if your machine might be compromised. 2525 is not defined in the standard /etc/services file and I don't know what that could be unless you've configured something to run on it.

    Regarding the perl checkspam error message in exim. I'm guessing that spamassassin is not properly installed. If you're missing the files /usr/bin/spamc and/or /usr/bin/spamd, this is the case. I'd make sure you're running perl 5.8.7 first (grab the tgz from layer1.cpanel.net if you need to update). Then, install that, /usr/local/cpanel/bin/checkperlmodules and /scripts/upcp. A /scripts/fixspamassassinfailed update should correct the issue with exim. Feel free to PM me or whatever if you have any questions.
     
  4. ryan.overton

    ryan.overton Active Member

    Joined:
    Mar 3, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    We are not running spamassassin – What should we check to make sure its completely disabled.







     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    1. That's from logwatch - most likely clients running WinXP and configuring their PC's to use their domain name (which they should not) and which then try to update the zone for their domain using dDNS which won't work. You can ignore them.

    2. Usually happens when you save WHM > Tweak Settings and/or Service Manager, which seems to have a bug where it always tries to start another instance of exim on the alternative port whether you have it selected or running in the first place. You can ignore that if exim is already bound to the port which you can check with:

    netstat -lpn | grep 2525

    3. That is a client falling foul of WHM > Tweak Settings > The maximum each domain can send out per hour
     
  6. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    Any thoughts on this?

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... You have 47 process hidden for readdir command
    You have 47 process hidden for ps command
    Warning: Possible LKM Trojan installed
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    First is a false-positive, the LKM and processes are almost always false-positives and can be checked by running the chkrootkit binary as:

    ./chkrootkit -x lkm
     
  8. ThunderHostingDotCom

    ThunderHostingDotCom Well-Known Member

    Joined:
    Nov 18, 2002
    Messages:
    450
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    All over!
    Thank you! This is what it kicked out.

    root@SERVER [~]# cd /root/security/chkrootkit*
    root@SERVER [~/security/chkrootkit-0.43]# ./chkrootkit -x lkm
    ROOTDIR is `/'
    ###
    ### Output of: ./chkproc -v -v
    ###
    PID 4430: not in readdir output
    PID 4430: not in ps output
    CWD 4430: /
    EXE 4430: /usr/sbin/named
    PID 4432: not in readdir output
    PID 4432: not in ps output
    CWD 4432: /
    EXE 4432: /usr/sbin/named
    PID 4433: not in readdir output
    PID 4433: not in ps output
    CWD 4433: /
    EXE 4433: /usr/sbin/named
    PID 4434: not in readdir output
    PID 4434: not in ps output
    CWD 4434: /
    EXE 4434: /usr/sbin/named
    PID 4435: not in readdir output
    PID 4435: not in ps output
    CWD 4435: /
    EXE 4435: /usr/sbin/named
    PID 4436: not in readdir output
    PID 4436: not in ps output
    CWD 4436: /
    EXE 4436: /usr/sbin/named
    PID 5291: not in readdir output
    PID 5291: not in ps output
    CWD 5291: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5291: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5300: not in readdir output
    PID 5300: not in ps output
    CWD 5300: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5300: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5301: not in readdir output
    PID 5301: not in ps output
    CWD 5301: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5301: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5338: not in readdir output
    PID 5338: not in ps output
    CWD 5338: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5338: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5339: not in readdir output
    PID 5339: not in ps output
    CWD 5339: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5339: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5340: not in readdir output
    PID 5340: not in ps output
    CWD 5340: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5340: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5342: not in readdir output
    PID 5342: not in ps output
    CWD 5342: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5342: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5812: not in readdir output
    PID 5812: not in ps output
    CWD 5812: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5812: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5813: not in readdir output
    PID 5813: not in ps output
    CWD 5813: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5813: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5814: not in readdir output
    PID 5814: not in ps output
    CWD 5814: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5814: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5815: not in readdir output
    PID 5815: not in ps output
    CWD 5815: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5815: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5816: not in readdir output
    PID 5816: not in ps output
    CWD 5816: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5816: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5817: not in readdir output
    PID 5817: not in ps output
    CWD 5817: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5817: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5818: not in readdir output
    PID 5818: not in ps output
    CWD 5818: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5818: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5819: not in readdir output
    PID 5819: not in ps output
    CWD 5819: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5819: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5820: not in readdir output
    PID 5820: not in ps output
    CWD 5820: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5820: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5821: not in readdir output
    PID 5821: not in ps output
    CWD 5821: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5821: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5822: not in readdir output
    PID 5822: not in ps output
    CWD 5822: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5822: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5823: not in readdir output
    PID 5823: not in ps output
    CWD 5823: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5823: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5824: not in readdir output
    PID 5824: not in ps output
    CWD 5824: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5824: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5825: not in readdir output
    PID 5825: not in ps output
    CWD 5825: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5825: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5826: not in readdir output
    PID 5826: not in ps output
    CWD 5826: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5826: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5827: not in readdir output
    PID 5827: not in ps output
    CWD 5827: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5827: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5828: not in readdir output
    PID 5828: not in ps output
    CWD 5828: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5828: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5829: not in readdir output
    PID 5829: not in ps output
    CWD 5829: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5829: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5830: not in readdir output
    PID 5830: not in ps output
    CWD 5830: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5830: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5831: not in readdir output
    PID 5831: not in ps output
    CWD 5831: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5831: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5832: not in readdir output
    PID 5832: not in ps output
    CWD 5832: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5832: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5833: not in readdir output
    PID 5833: not in ps output
    CWD 5833: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5833: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5834: not in readdir output
    PID 5834: not in ps output
    CWD 5834: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5834: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5835: not in readdir output
    PID 5835: not in ps output
    CWD 5835: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5835: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5836: not in readdir output
    PID 5836: not in ps output
    CWD 5836: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5836: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5837: not in readdir output
    PID 5837: not in ps output
    CWD 5837: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5837: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5838: not in readdir output
    PID 5838: not in ps output
    CWD 5838: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5838: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5839: not in readdir output
    PID 5839: not in ps output
    CWD 5839: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5839: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5840: not in readdir output
    PID 5840: not in ps output
    CWD 5840: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5840: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5841: not in readdir output
    PID 5841: not in ps output
    CWD 5841: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5841: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5842: not in readdir output
    PID 5842: not in ps output
    CWD 5842: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5842: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 5843: not in readdir output
    PID 5843: not in ps output
    CWD 5843: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin
    EXE 5843: /usr/local/jakarta/jakarta-tomcat-5.5.9/bin/jsvc
    PID 9424: not in readdir output
    PID 9424: not in ps output
    CWD 9424: /
    EXE 9424: /usr/sbin/clamd
    PID 27089: not in readdir output
    PID 27089: not in ps output
    CWD 27089: /
    EXE 27089: /usr/sbin/clamd
    You have 47 process hidden for readdir command
    You have 47 process hidden for ps command
     
Loading...

Share This Page