I realize that this is probably a very common WHM/CSF question, but I can't find an answer using search or Google search.
I receive emails from my root account at random times for a particular user who has SpamAssassin enabled (other users do not).
Typical content is shown below. If you are about to tell me how to suppress these messages, I already know. I want to know if I should suppress these messages. A working program should not produce error messages.
If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?
If you are about to tell me that these messages are produced because the OS or CPanel is automatically updated, I doubt that because I can receive two such messages in one day, and update happens at most once per day.
There are no tools to use to find out what SpamAssasin was doing at the time of the error message, as far as I can tell. This error might be a bug in SpamAssassin--again, hard to believe.
I'm sure many administrators like me get these messages, but there doesn't seem to be a good explanation for why the spamd process should become wedged. Again, a good program should not become wedged. Is this a CSF/LFD bug? This would be hard to believe, since I've seen this for years. Someone reading this should be able to point me to a good and complete discussion, yes?
Thanks in advance for some good information on this.
Typical email message:
David Spector
Springtime Software
I receive emails from my root account at random times for a particular user who has SpamAssassin enabled (other users do not).
Typical content is shown below. If you are about to tell me how to suppress these messages, I already know. I want to know if I should suppress these messages. A working program should not produce error messages.
If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?
If you are about to tell me that these messages are produced because the OS or CPanel is automatically updated, I doubt that because I can receive two such messages in one day, and update happens at most once per day.
There are no tools to use to find out what SpamAssasin was doing at the time of the error message, as far as I can tell. This error might be a bug in SpamAssassin--again, hard to believe.
I'm sure many administrators like me get these messages, but there doesn't seem to be a good explanation for why the spamd process should become wedged. Again, a good program should not become wedged. Is this a CSF/LFD bug? This would be hard to believe, since I've seen this for years. Someone reading this should be able to point me to a good and complete discussion, yes?
Thanks in advance for some good information on this.
Typical email message:
Code:
Subject: lfd: Suspicious process running under user ****
----
Time: Sun Sep 15 04:09:14 2013 -0400
PID: 5268 (Parent PID:20849)
Account: ****
Uptime: 72674 seconds
Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:44587
udp: <my server IP>:61573 -> <my server IP>:53
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/local/cpanel/3rdparty/perl/514/bin/spamd
/home/asc/.spamassassin/bayes_toks
/home/asc/.spamassassin/bayes_seen
Memory maps by the process (if any):
08048000-08049000 r-xp 00000000 00:1c 180080750 /usr/local/cpanel/3rdparty/perl/514/bin/perl
08049000-0804a000 rw-p 00000000 00:1c 180080750 /usr/local/cpanel/3rdparty/perl/514/bin/perl
09321000-09cf2000 rw-p 00000000 00:00 0
09cf2000-0ad98000 rw-p 00000000 00:00 0
0ad98000-0b39c000 rw-p 00000000 00:00 0
b6ccb000-b6ce8000 r-xp 00000000 00:1c 113197104 /lib/libselinux.so.1
b6ce8000-b6ce9000 r--p 0001c000 00:1c 113197104 /lib/libselinux.so.1
b6ce9000-b6cea000 rw-p 0001d000 00:1c 113197104 /lib/libselinux.so.1
b6cea000-b6cf4000 r-xp 00000000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf4000-b6cf5000 r--p 00009000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf5000-b6cf6000 rw-p 0000a000 00:1c 113197116 (deleted)/lib/libkrb5support.so.0.1
b6cf6000-b6d0b000 r-xp 00000000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0b000-b6d0c000 ---p 00015000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0c000-b6d0d000 r--p 00015000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0d000-b6d0e000 rw-p 00016000 00:1c 113197094 (deleted)/lib/libresolv-2.12.so
b6d0e000-b6d10000 rw-p 00000000 00:00 0
b6d10000-b6d38000 r-xp 00000000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d38000-b6d39000 r--p 00028000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d39000-b6d3a000 rw-p 00029000 00:1c 113197112 (deleted)/lib/libk5crypto.so.3.1
b6d3a000-b6d3b000 rw-p 00000000 00:00 0
b6d3b000-b6d3e000 r-xp 00000000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d3e000-b6d3f000 r--p 00002000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d3f000-b6d40000 rw-p 00003000 00:1c 113197106 /lib/libcom_err.so.2.1
b6d40000-b6e16000 r-xp 00000000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e16000-b6e1c000 r--p 000d5000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e1c000-b6e1d000 rw-p 000db000 00:1c 113197114 (deleted)/lib/libkrb5.so.3.3
b6e1d000-b6e5b000 r-xp 00000000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e5b000-b6e5c000 r--p 0003e000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e5c000-b6e5d000 rw-p 0003f000 00:1c 113197108 (deleted)/lib/libgssapi_krb5.so.2.2
b6e67000-b6ebb000 r-xp 00000000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ebb000-b6ebd000 r--p 00054000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ebd000-b6ec0000 rw-p 00056000 00:1c 192053589 /usr/lib/libssl.so.1.0.0
b6ec0000-b6ed2000 r-xp 00000000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed2000-b6ed3000 r--p 00011000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed3000-b6ed4000 rw-p 00012000 00:1c 113197103 /lib/libz.so.1.2.3
b6ed4000-b6ed6000 r-xp 00000000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed6000-b6ed7000 r--p 00001000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed7000-b6ed8000 rw-p 00002000 00:1c 114213605 /lib/libkeyutils.so.1.3
b6ed8000-b6edd000 r-xp 00000000 00:1c 182190428 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
b6edd000-b6ede000 rw-p 00004000 00:1c 182190428 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
b6ede000-b7053000 r-xp 00000000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7053000-b7054000 ---p 00175000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7054000-b7062000 r--p 00175000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7062000-b7068000 rw-p 00183000 00:1c 192053587 /usr/lib/libcrypto.so.1.0.0
b7068000-b706b000 rw-p 00000000 00:00 0
b706b000-b7070000 r-xp 00000000 00:1c 182175750 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
b7070000-b7071000 rw-p 00004000 00:1c 182175750 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
b7071000-b709f000 r-xp 00000000 00:1c 182207337 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
b709f000-b70a0000 rw-p 0002d000 00:1c 182207337 /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
b70a0000-b70dd000 rw-p 00000000 00:00 0
b70dd000-b7250000 r-xp 00000000 00:1c 114213574 (deleted)/lib/libdb-4.7.so
b7250000-b7253000 rw-p 00172000 00:1c 114213574 (deleted)/lib/libdb-4.7.so
b7253000-b725c000 r-xp 00000000 00:1c 180863399 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
b725c000-b725d000 rw-p 00008000 00:1c 180863399 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
b725d000-b7269000 r-xp 00000000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b7269000-b726a000 r--p 0000b000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b726a000-b726b000 rw-p 0000c000 00:1c 113197084 (deleted)/lib/libnss_files-2.12.so
b726c000-b726f000 r-xp 00000000 00:1c 181092405 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
b726f000-b7270000 rw-p 00002000 00:1c 181092405 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
b7270000-b7274000 r-xp 00000000 00:1c 180080775 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
b7274000-b7275000 rw-p 00004000 00:1c 180080775 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
b7275000-b7277000 r-xp 00000000 00:1c 180863343 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
b7277000-b7278000 rw-p 00002000 00:1c 180863343 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
b7278000-b727a000 r-xp 00000000 00:1c 180453974 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
b727a000-b727b000 rw-p 00001000 00:1c 180453974 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
b727b000-b7281000 r-xp 00000000 00:1c 180456427 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
b7281000-b7282000 rw-p 00005000 00:1c 180456427 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
b7282000-b72b3000 r-xp 00000000 00:1c 114213599 /lib/libidn.so.11.6.1
b72b3000-b72b4000 rw-p 00030000 00:1c 114213599 /lib/libidn.so.11.6.1
b72b4000-b72bd000 r-xp 00000000 00:1c 180863122 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
b72bd000-b72be000 rw-p 00008000 00:1c 180863122 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
b72be000-b72c2000 r-xp 00000000 00:1c 182174498 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
b72c2000-b72c3000 rw-p 00003000 00:1c 182174498 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
b72c3000-b72c9000 r-xp 00000000 00:1c 180456489 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
b72c9000-b72ca000 rw-p 00005000 00:1c 180456489 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
b72ca000-b72cb000 r-xp 00000000 00:1c 181076441 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
b72cb000-b72cc000 rw-p 00001000 00:1c 181076441 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
b72cc000-b72d4000 r-xp 00000000 00:1c 181076260 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
b72d4000-b72d5000 rw-p 00007000 00:1c 181076260 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
b72d5000-b72d9000 r-xp 00000000 00:1c 181092486 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
b72d9000-b72da000 rw-p 00003000 00:1c 181092486 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
b72da000-b72dd000 r-xp 00000000 00:1c 180079348 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
b72dd000-b72de000 rw-p 00002000 00:1c 180079348 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
b72de000-b72e0000 r-xp 00000000 00:1c 180456415 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
b72e0000-b72e1000 rw-p 00001000 00:1c 180456415 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
b72e1000-b72f8000 r-xp 00000000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72f8000-b72f9000 r--p 00016000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72f9000-b72fa000 rw-p 00017000 00:1c 113197092 (deleted)/lib/libpthread-2.12.so
b72fa000-b72fc000 rw-p 00000000 00:00 0
b72fc000-b7303000 r-xp 00000000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7303000-b7304000 r--p 00006000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7304000-b7305000 rw-p 00007000 00:1c 113197096 (deleted)/lib/librt-2.12.so
b7305000-b7309000 r-xp 00000000 00:1c 180456420 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
b7309000-b730a000 rw-p 00003000 00:1c 180456420 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
b730a000-b731b000 r-xp 00000000 00:1c 180079361 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
b731b000-b731d000 rw-p 00010000 00:1c 180079361 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
b731d000-b731f000 r-xp 00000000 00:1c 180079347 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
b731f000-b7320000 rw-p 00002000 00:1c 180079347 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
b7320000-b7324000 r-xp 00000000 00:1c 181108971 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
b7324000-b7325000 rw-p 00003000 00:1c 181108971 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
b7325000-b736a000 r-xp 00000000 00:1c 180079546 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
b736a000-b736b000 rw-p 00045000 00:1c 180079546 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
b736b000-b736c000 rw-p 00000000 00:00 0
b736c000-b73bb000 r-xp 00000000 00:1c 113197060 /lib/libfreebl3.so
b73bb000-b73bc000 r--p 0004e000 00:1c 113197060 /lib/libfreebl3.so
b73bc000-b73bd000 rw-p 0004f000 00:1c 113197060 /lib/libfreebl3.so
b73bd000-b73c2000 rw-p 00000000 00:00 0
b73c2000-b7552000 r-xp 00000000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7552000-b7553000 ---p 00190000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7553000-b7555000 r--p 00190000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7555000-b7556000 rw-p 00192000 00:1c 113197068 (deleted)/lib/libc-2.12.so
b7556000-b7559000 rw-p 00000000 00:00 0
b7559000-b755b000 r-xp 00000000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755b000-b755c000 r--p 00001000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755c000-b755d000 rw-p 00002000 00:1c 113197100 (deleted)/lib/libutil-2.12.so
b755d000-b7564000 r-xp 00000000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7564000-b7565000 r--p 00007000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7565000-b7566000 rw-p 00008000 00:1c 113197072 (deleted)/lib/libcrypt-2.12.so
b7566000-b758d000 rw-p 00000000 00:00 0
b758d000-b75b5000 r-xp 00000000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b5000-b75b6000 r--p 00027000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b6000-b75b7000 rw-p 00028000 00:1c 113197076 (deleted)/lib/libm-2.12.so
b75b7000-b75ba000 r-xp 00000000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75ba000-b75bb000 r--p 00002000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75bb000-b75bc000 rw-p 00003000 00:1c 113197074 (deleted)/lib/libdl-2.12.so
b75bc000-b75bd000 rw-p 00000000 00:00 0
b75bd000-b75d4000 r-xp 00000000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d4000-b75d5000 r--p 00016000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d5000-b75d6000 rw-p 00017000 00:1c 113197078 (deleted)/lib/libnsl-2.12.so
b75d6000-b75d8000 rw-p 00000000 00:00 0
b75d8000-b76de000 r-xp 00000000 00:1c 180079184 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
b76de000-b76e3000 rw-p 00106000 00:1c 180079184 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
b76e3000-b76e9000 r-xp 00000000 00:1c 184713546 /usr/lib/libgdbm.so.2.0.0
b76e9000-b76ea000 rw-p 00005000 00:1c 184713546 /usr/lib/libgdbm.so.2.0.0
b76ea000-b76ed000 r-xp 00000000 00:1c 180453990 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
b76ed000-b76ee000 rw-p 00002000 00:1c 180453990 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
b76ee000-b76f3000 r-xp 00000000 00:1c 180079534 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
b76f3000-b76f4000 rw-p 00005000 00:1c 180079534 /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
b76f4000-b76f5000 rw-p 00000000 00:00 0
b76f5000-b76f6000 r-xp 00000000 00:00 0 [vdso]
b76f6000-b7714000 r-xp 00000000 00:1c 113197061 (deleted)/lib/ld-2.12.so
b7714000-b7715000 r--p 0001d000 00:1c 113197061 (deleted)/lib/ld-2.12.so
b7715000-b7716000 rw-p 0001e000 00:1c 113197061 (deleted)/lib/ld-2.12.so
bfbd8000-bfc19000 rw-p 00000000 00:00 0 [stack]
----
Springtime Software
Last edited: