The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange error messages: lfd: Suspicious process running under user

Discussion in 'Security' started by david364, Sep 15, 2013.

  1. david364

    david364 Member

    Joined:
    Sep 15, 2013
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    I realize that this is probably a very common WHM/CSF question, but I can't find an answer using search or Google search.

    I receive emails from my root account at random times for a particular user who has SpamAssassin enabled (other users do not).

    Typical content is shown below. If you are about to tell me how to suppress these messages, I already know. I want to know if I should suppress these messages. A working program should not produce error messages.

    If you are about to tell me that CPanel or WHM does not support CSF/LFD, I know that. But neither does anyone else, so far as I can tell. If WHM is going to include the management of CSF, shouldn't this be the right forum?

    If you are about to tell me that these messages are produced because the OS or CPanel is automatically updated, I doubt that because I can receive two such messages in one day, and update happens at most once per day.

    There are no tools to use to find out what SpamAssasin was doing at the time of the error message, as far as I can tell. This error might be a bug in SpamAssassin--again, hard to believe.

    I'm sure many administrators like me get these messages, but there doesn't seem to be a good explanation for why the spamd process should become wedged. Again, a good program should not become wedged. Is this a CSF/LFD bug? This would be hard to believe, since I've seen this for years. Someone reading this should be able to point me to a good and complete discussion, yes?

    Thanks in advance for some good information on this.

    Typical email message:

    Code:
    Subject: lfd: Suspicious process running under user ****
    
    ----
    Time:    Sun Sep 15 04:09:14 2013 -0400
    PID:     5268 (Parent PID:20849)
    Account: ****
    Uptime:  72674 seconds
    
    
    Executable:
    
    /usr/local/cpanel/3rdparty/perl/514/bin/perl
    
    
    Command Line (often faked in exploits):
    
    spamd child
    
    
    Network connections by the process (if any):
    
    tcp: 127.0.0.1:783 -> 0.0.0.0:0
    tcp: 127.0.0.1:783 -> 127.0.0.1:44587
    udp: <my server IP>:61573 -> <my server IP>:53
    
    
    Files open by the process (if any):
    
    /dev/null
    /dev/null
    /dev/null
    /usr/local/cpanel/3rdparty/perl/514/bin/spamd
    /home/asc/.spamassassin/bayes_toks
    /home/asc/.spamassassin/bayes_seen
    
    
    Memory maps by the process (if any):
    
    08048000-08049000 r-xp 00000000 00:1c 180080750                          /usr/local/cpanel/3rdparty/perl/514/bin/perl
    08049000-0804a000 rw-p 00000000 00:1c 180080750                          /usr/local/cpanel/3rdparty/perl/514/bin/perl
    09321000-09cf2000 rw-p 00000000 00:00 0 
    09cf2000-0ad98000 rw-p 00000000 00:00 0 
    0ad98000-0b39c000 rw-p 00000000 00:00 0 
    b6ccb000-b6ce8000 r-xp 00000000 00:1c 113197104                          /lib/libselinux.so.1
    b6ce8000-b6ce9000 r--p 0001c000 00:1c 113197104                          /lib/libselinux.so.1
    b6ce9000-b6cea000 rw-p 0001d000 00:1c 113197104                          /lib/libselinux.so.1
    b6cea000-b6cf4000 r-xp 00000000 00:1c 113197116                           (deleted)/lib/libkrb5support.so.0.1
    b6cf4000-b6cf5000 r--p 00009000 00:1c 113197116                           (deleted)/lib/libkrb5support.so.0.1
    b6cf5000-b6cf6000 rw-p 0000a000 00:1c 113197116                           (deleted)/lib/libkrb5support.so.0.1
    b6cf6000-b6d0b000 r-xp 00000000 00:1c 113197094                           (deleted)/lib/libresolv-2.12.so
    b6d0b000-b6d0c000 ---p 00015000 00:1c 113197094                           (deleted)/lib/libresolv-2.12.so
    b6d0c000-b6d0d000 r--p 00015000 00:1c 113197094                           (deleted)/lib/libresolv-2.12.so
    b6d0d000-b6d0e000 rw-p 00016000 00:1c 113197094                           (deleted)/lib/libresolv-2.12.so
    b6d0e000-b6d10000 rw-p 00000000 00:00 0 
    b6d10000-b6d38000 r-xp 00000000 00:1c 113197112                           (deleted)/lib/libk5crypto.so.3.1
    b6d38000-b6d39000 r--p 00028000 00:1c 113197112                           (deleted)/lib/libk5crypto.so.3.1
    b6d39000-b6d3a000 rw-p 00029000 00:1c 113197112                           (deleted)/lib/libk5crypto.so.3.1
    b6d3a000-b6d3b000 rw-p 00000000 00:00 0 
    b6d3b000-b6d3e000 r-xp 00000000 00:1c 113197106                          /lib/libcom_err.so.2.1
    b6d3e000-b6d3f000 r--p 00002000 00:1c 113197106                          /lib/libcom_err.so.2.1
    b6d3f000-b6d40000 rw-p 00003000 00:1c 113197106                          /lib/libcom_err.so.2.1
    b6d40000-b6e16000 r-xp 00000000 00:1c 113197114                           (deleted)/lib/libkrb5.so.3.3
    b6e16000-b6e1c000 r--p 000d5000 00:1c 113197114                           (deleted)/lib/libkrb5.so.3.3
    b6e1c000-b6e1d000 rw-p 000db000 00:1c 113197114                           (deleted)/lib/libkrb5.so.3.3
    b6e1d000-b6e5b000 r-xp 00000000 00:1c 113197108                           (deleted)/lib/libgssapi_krb5.so.2.2
    b6e5b000-b6e5c000 r--p 0003e000 00:1c 113197108                           (deleted)/lib/libgssapi_krb5.so.2.2
    b6e5c000-b6e5d000 rw-p 0003f000 00:1c 113197108                           (deleted)/lib/libgssapi_krb5.so.2.2
    b6e67000-b6ebb000 r-xp 00000000 00:1c 192053589                          /usr/lib/libssl.so.1.0.0
    b6ebb000-b6ebd000 r--p 00054000 00:1c 192053589                          /usr/lib/libssl.so.1.0.0
    b6ebd000-b6ec0000 rw-p 00056000 00:1c 192053589                          /usr/lib/libssl.so.1.0.0
    b6ec0000-b6ed2000 r-xp 00000000 00:1c 113197103                          /lib/libz.so.1.2.3
    b6ed2000-b6ed3000 r--p 00011000 00:1c 113197103                          /lib/libz.so.1.2.3
    b6ed3000-b6ed4000 rw-p 00012000 00:1c 113197103                          /lib/libz.so.1.2.3
    b6ed4000-b6ed6000 r-xp 00000000 00:1c 114213605                          /lib/libkeyutils.so.1.3
    b6ed6000-b6ed7000 r--p 00001000 00:1c 114213605                          /lib/libkeyutils.so.1.3
    b6ed7000-b6ed8000 rw-p 00002000 00:1c 114213605                          /lib/libkeyutils.so.1.3
    b6ed8000-b6edd000 r-xp 00000000 00:1c 182190428                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    b6edd000-b6ede000 rw-p 00004000 00:1c 182190428                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/RSA/RSA.so
    b6ede000-b7053000 r-xp 00000000 00:1c 192053587                          /usr/lib/libcrypto.so.1.0.0
    b7053000-b7054000 ---p 00175000 00:1c 192053587                          /usr/lib/libcrypto.so.1.0.0
    b7054000-b7062000 r--p 00175000 00:1c 192053587                          /usr/lib/libcrypto.so.1.0.0
    b7062000-b7068000 rw-p 00183000 00:1c 192053587                          /usr/lib/libcrypto.so.1.0.0
    b7068000-b706b000 rw-p 00000000 00:00 0 
    b706b000-b7070000 r-xp 00000000 00:1c 182175750                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    b7070000-b7071000 rw-p 00004000 00:1c 182175750                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Crypt/OpenSSL/Bignum/Bignum.so
    b7071000-b709f000 r-xp 00000000 00:1c 182207337                          /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    b709f000-b70a0000 rw-p 0002d000 00:1c 182207337                          /var/lib/spamassassin/compiled/5.014/3.003002/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
    b70a0000-b70dd000 rw-p 00000000 00:00 0 
    b70dd000-b7250000 r-xp 00000000 00:1c 114213574                           (deleted)/lib/libdb-4.7.so
    b7250000-b7253000 rw-p 00172000 00:1c 114213574                           (deleted)/lib/libdb-4.7.so
    b7253000-b725c000 r-xp 00000000 00:1c 180863399                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
    b725c000-b725d000 rw-p 00008000 00:1c 180863399                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/DB_File/DB_File.so
    b725d000-b7269000 r-xp 00000000 00:1c 113197084                           (deleted)/lib/libnss_files-2.12.so
    b7269000-b726a000 r--p 0000b000 00:1c 113197084                           (deleted)/lib/libnss_files-2.12.so
    b726a000-b726b000 rw-p 0000c000 00:1c 113197084                           (deleted)/lib/libnss_files-2.12.so
    b726c000-b726f000 r-xp 00000000 00:1c 181092405                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
    b726f000-b7270000 rw-p 00002000 00:1c 181092405                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/BSD/Resource/Resource.so
    b7270000-b7274000 r-xp 00000000 00:1c 180080775                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
    b7274000-b7275000 rw-p 00004000 00:1c 180080775                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/List/Util/Util.so
    b7275000-b7277000 r-xp 00000000 00:1c 180863343                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
    b7277000-b7278000 rw-p 00002000 00:1c 180863343                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Sys/Syslog/Syslog.so
    b7278000-b727a000 r-xp 00000000 00:1c 180453974                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
    b727a000-b727b000 rw-p 00001000 00:1c 180453974                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Cwd/Cwd.so
    b727b000-b7281000 r-xp 00000000 00:1c 180456427                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
    b7281000-b7282000 rw-p 00005000 00:1c 180456427                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Data/Dumper/Dumper.so
    b7282000-b72b3000 r-xp 00000000 00:1c 114213599                          /lib/libidn.so.11.6.1
    b72b3000-b72b4000 rw-p 00030000 00:1c 114213599                          /lib/libidn.so.11.6.1
    b72b4000-b72bd000 r-xp 00000000 00:1c 180863122                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
    b72bd000-b72be000 rw-p 00008000 00:1c 180863122                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Digest/SHA/SHA.so
    b72be000-b72c2000 r-xp 00000000 00:1c 182174498                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
    b72c2000-b72c3000 rw-p 00003000 00:1c 182174498                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/LibIDN/LibIDN.so
    b72c3000-b72c9000 r-xp 00000000 00:1c 180456489                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
    b72c9000-b72ca000 rw-p 00005000 00:1c 180456489                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Encode/Encode.so
    b72ca000-b72cb000 r-xp 00000000 00:1c 181076441                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
    b72cb000-b72cc000 rw-p 00001000 00:1c 181076441                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Net/DNS/DNS.so
    b72cc000-b72d4000 r-xp 00000000 00:1c 181076260                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
    b72d4000-b72d5000 rw-p 00007000 00:1c 181076260                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/HTML/Parser/Parser.so
    b72d5000-b72d9000 r-xp 00000000 00:1c 181092486                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
    b72d9000-b72da000 rw-p 00003000 00:1c 181092486                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/NetAddr/IP/Util/Util.so
    b72da000-b72dd000 r-xp 00000000 00:1c 180079348                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
    b72dd000-b72de000 rw-p 00002000 00:1c 180079348                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/File/Glob/Glob.so
    b72de000-b72e0000 r-xp 00000000 00:1c 180456415                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
    b72e0000-b72e1000 rw-p 00001000 00:1c 180456415                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/MIME/Base64/Base64.so
    b72e1000-b72f8000 r-xp 00000000 00:1c 113197092                           (deleted)/lib/libpthread-2.12.so
    b72f8000-b72f9000 r--p 00016000 00:1c 113197092                           (deleted)/lib/libpthread-2.12.so
    b72f9000-b72fa000 rw-p 00017000 00:1c 113197092                           (deleted)/lib/libpthread-2.12.so
    b72fa000-b72fc000 rw-p 00000000 00:00 0 
    b72fc000-b7303000 r-xp 00000000 00:1c 113197096                           (deleted)/lib/librt-2.12.so
    b7303000-b7304000 r--p 00006000 00:1c 113197096                           (deleted)/lib/librt-2.12.so
    b7304000-b7305000 rw-p 00007000 00:1c 113197096                           (deleted)/lib/librt-2.12.so
    b7305000-b7309000 r-xp 00000000 00:1c 180456420                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
    b7309000-b730a000 rw-p 00003000 00:1c 180456420                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Time/HiRes/HiRes.so
    b730a000-b731b000 r-xp 00000000 00:1c 180079361                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
    b731b000-b731d000 rw-p 00010000 00:1c 180079361                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/POSIX/POSIX.so
    b731d000-b731f000 r-xp 00000000 00:1c 180079347                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
    b731f000-b7320000 rw-p 00002000 00:1c 180079347                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Fcntl/Fcntl.so
    b7320000-b7324000 r-xp 00000000 00:1c 181108971                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
    b7324000-b7325000 rw-p 00003000 00:1c 181108971                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/Socket6/Socket6.so
    b7325000-b736a000 r-xp 00000000 00:1c 180079546                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
    b736a000-b736b000 rw-p 00045000 00:1c 180079546                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/re/re.so
    b736b000-b736c000 rw-p 00000000 00:00 0 
    b736c000-b73bb000 r-xp 00000000 00:1c 113197060                          /lib/libfreebl3.so
    b73bb000-b73bc000 r--p 0004e000 00:1c 113197060                          /lib/libfreebl3.so
    b73bc000-b73bd000 rw-p 0004f000 00:1c 113197060                          /lib/libfreebl3.so
    b73bd000-b73c2000 rw-p 00000000 00:00 0 
    b73c2000-b7552000 r-xp 00000000 00:1c 113197068                           (deleted)/lib/libc-2.12.so
    b7552000-b7553000 ---p 00190000 00:1c 113197068                           (deleted)/lib/libc-2.12.so
    b7553000-b7555000 r--p 00190000 00:1c 113197068                           (deleted)/lib/libc-2.12.so
    b7555000-b7556000 rw-p 00192000 00:1c 113197068                           (deleted)/lib/libc-2.12.so
    b7556000-b7559000 rw-p 00000000 00:00 0 
    b7559000-b755b000 r-xp 00000000 00:1c 113197100                           (deleted)/lib/libutil-2.12.so
    b755b000-b755c000 r--p 00001000 00:1c 113197100                           (deleted)/lib/libutil-2.12.so
    b755c000-b755d000 rw-p 00002000 00:1c 113197100                           (deleted)/lib/libutil-2.12.so
    b755d000-b7564000 r-xp 00000000 00:1c 113197072                           (deleted)/lib/libcrypt-2.12.so
    b7564000-b7565000 r--p 00007000 00:1c 113197072                           (deleted)/lib/libcrypt-2.12.so
    b7565000-b7566000 rw-p 00008000 00:1c 113197072                           (deleted)/lib/libcrypt-2.12.so
    b7566000-b758d000 rw-p 00000000 00:00 0 
    b758d000-b75b5000 r-xp 00000000 00:1c 113197076                           (deleted)/lib/libm-2.12.so
    b75b5000-b75b6000 r--p 00027000 00:1c 113197076                           (deleted)/lib/libm-2.12.so
    b75b6000-b75b7000 rw-p 00028000 00:1c 113197076                           (deleted)/lib/libm-2.12.so
    b75b7000-b75ba000 r-xp 00000000 00:1c 113197074                           (deleted)/lib/libdl-2.12.so
    b75ba000-b75bb000 r--p 00002000 00:1c 113197074                           (deleted)/lib/libdl-2.12.so
    b75bb000-b75bc000 rw-p 00003000 00:1c 113197074                           (deleted)/lib/libdl-2.12.so
    b75bc000-b75bd000 rw-p 00000000 00:00 0 
    b75bd000-b75d4000 r-xp 00000000 00:1c 113197078                           (deleted)/lib/libnsl-2.12.so
    b75d4000-b75d5000 r--p 00016000 00:1c 113197078                           (deleted)/lib/libnsl-2.12.so
    b75d5000-b75d6000 rw-p 00017000 00:1c 113197078                           (deleted)/lib/libnsl-2.12.so
    b75d6000-b75d8000 rw-p 00000000 00:00 0 
    b75d8000-b76de000 r-xp 00000000 00:1c 180079184                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
    b76de000-b76e3000 rw-p 00106000 00:1c 180079184                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/CORE/libperl.so
    b76e3000-b76e9000 r-xp 00000000 00:1c 184713546                          /usr/lib/libgdbm.so.2.0.0
    b76e9000-b76ea000 rw-p 00005000 00:1c 184713546                          /usr/lib/libgdbm.so.2.0.0
    b76ea000-b76ed000 r-xp 00000000 00:1c 180453990                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
    b76ed000-b76ee000 rw-p 00002000 00:1c 180453990                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/cpanel_lib/i386-linux-64int/auto/IO/IO.so
    b76ee000-b76f3000 r-xp 00000000 00:1c 180079534                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
    b76f3000-b76f4000 rw-p 00005000 00:1c 180079534                          /usr/local/cpanel/3rdparty/perl/514/lib/perl5/5.14.3/i386-linux-64int/auto/Socket/Socket.so
    b76f4000-b76f5000 rw-p 00000000 00:00 0 
    b76f5000-b76f6000 r-xp 00000000 00:00 0                                  [vdso]
    b76f6000-b7714000 r-xp 00000000 00:1c 113197061                           (deleted)/lib/ld-2.12.so
    b7714000-b7715000 r--p 0001d000 00:1c 113197061                           (deleted)/lib/ld-2.12.so
    b7715000-b7716000 rw-p 0001e000 00:1c 113197061                           (deleted)/lib/ld-2.12.so
    bfbd8000-bfc19000 rw-p 00000000 00:00 0                                  [stack]
    ----
    
    David Spector
    Springtime Software
     
    #1 david364, Sep 15, 2013
    Last edited: Sep 15, 2013
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    CSF provides an interface for Web Host Manager with it's plugin. This is not developed by cPanel/WHM. The posts in the last response should be useful, but you are welcome to make this thread here as well and gather feedback from other users.

    Thank you.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    SpamAssassin often stays running long enough for CSF to see it as a long running process. This is not necessarily a bad thing. On my own systems, I whitelist it in /etc/csf/csf.pignore by adding:

    Code:
    cmd:spamd child
    Be sure to restart both CSF and LFD:

    Code:
    /etc/init.d/lfd restart ; csf -r
     
  5. webservers

    webservers Active Member

    Joined:
    Nov 3, 2014
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I got same error today. Should I worry?
     
  6. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    There is nothing to worry. It's simple lfd notification. Your perl script tooks some time to execute because of that you received that message.

    /usr/local/cpanel/3rdparty/perl/514/bin/perl

    You can add above perl script in pingnore of csf.
     
  7. mimran

    mimran Member

    Joined:
    Dec 16, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi I'm also getting lot emails for all accounts on the server
    Here it is bit different as it tries to connect to some different ip.

    Code:
    Executable:
    
    /usr/bin/perl
    
    
    Command Line (often faked in exploits):
    
    gnome-pty-helper
    
    
    Network connections by the process (if any):
    
    tcp: ***.**.**.**:33078 -> 209.92.176.13:80
    
    
    Files open by the process (if any):
    
    
    Memory maps by the process (if any):
    
    00110000-00118000 r-xp 00000000 08:08 1537102    /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    00118000-00119000 rw-p 00008000 08:08 1537102    /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/Socket.so
    00398000-00399000 r-xp 00398000 00:00 0          [vdso]
    00bfd000-00c01000 r-xp 00000000 08:08 1522375    /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    00c01000-00c02000 rw-p 00003000 08:08 1522375    /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/IO.so
    00c9d000-00cae000 r-xp 00000000 08:02 164170     /lib/libresolv-2.5.so
    00cae000-00caf000 r--p 00010000 08:02 164170     /lib/libresolv-2.5.so
    00caf000-00cb0000 rw-p 00011000 08:02 164170     /lib/libresolv-2.5.so
    00cb0000-00cb2000 rw-p 00cb0000 00:00 0
    03313000-03315000 r-xp 00000000 08:02 164173     /lib/libutil-2.5.so
    03315000-03316000 r--p 00001000 08:02 164173     /lib/libutil-2.5.so
    03316000-03317000 rw-p 00002000 08:02 164173     /lib/libutil-2.5.so
    08048000-0804b000 r-xp 00000000 08:08 1668730    /usr/bin/perl
    0804b000-0804c000 rw-p 00002000 08:08 1668730    /usr/bin/perl
    08502000-08711000 rw-p 08502000 00:00 0          [heap]
    b7f82000-b7fa6000 rw-p b7f82000 00:00 0
    b7fb0000-b7fb1000 rw-p b7fb0000 00:00 0
    bfcae000-bfcc3000 rw-p bffe9000 00:00 0          [stack]
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That looks pretty suspicious mimran, I'd be investigating that process and remote IP address.
     
  9. mimran

    mimran Member

    Joined:
    Dec 16, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    It looks like some one installed SUCRACK Script for brute force su psw attack on the system, I have by mistake removed python and the whole server crashed, now I have to re-install everything from backup I hope everything will be restored normally.

    Can any one suggest me how one can install this script when the ssh is disabled for all except root user via su, and only wheelgroup user can login.

    Please provide some system hardening tips.
    Thank you.
     
    #9 mimran, Nov 22, 2014
    Last edited: Nov 22, 2014
Loading...

Share This Page