I never used to receive these notifications.
I now receive regular admin' emails stating:
==========
Time: Tue Jan 15 14:44:30 2019 +0000
Account: cpanelroundcube
Uptime: 194 seconds
Executable:
/usr/local/cpanel/3rdparty/php/72/sbin/php-fpm
Command Line (often faked in exploits):
php-fpm: pool cpanelroundcube
Network connections by the process (if any):
tcp6: 0:0:0:0:0:0:0:1:33530 -> 0:0:0:0:0:0:0:1:587
Files open by the process (if any):
/usr/local/cpanel/base/3rdparty/roundcube/plugins
....
==========
Roundcube should not even be trying to access this port as it is insecure SMTP port and should always be dropped in favour of the secured port 465.
Also, being in the UK we do not use IPv6 (which tcp6 refers to).
While I have researched this and found : Round Cube Suspicious process ; this tells me how to ignore this process NOT why it should be ignored .
> Questions:
How do I know cpanelroundcube has not been compromised?
Based on the fact I never used to get these messages until recently.
Some clients who use roundcube webmail tell me it takes them literal minutes to load roundcube webmail for their emails. Is there any way to establish Why? and/or if it's related?
I can not generate the same time delay on my own roundcube webmail testing, even on their own email account login's.
I have already put Roundcube onSQLlite. I have already increased the max-children as per Webmail slow after login - php settings perhaps?
> Server Stats:
PHP FPM is turned on but is not used on any accounts.
OS / WHM version
I now receive regular admin' emails stating:
==========
Time: Tue Jan 15 14:44:30 2019 +0000
Account: cpanelroundcube
Uptime: 194 seconds
Executable:
/usr/local/cpanel/3rdparty/php/72/sbin/php-fpm
Command Line (often faked in exploits):
php-fpm: pool cpanelroundcube
Network connections by the process (if any):
tcp6: 0:0:0:0:0:0:0:1:33530 -> 0:0:0:0:0:0:0:1:587
Files open by the process (if any):
/usr/local/cpanel/base/3rdparty/roundcube/plugins
....
==========
Roundcube should not even be trying to access this port as it is insecure SMTP port and should always be dropped in favour of the secured port 465.
Also, being in the UK we do not use IPv6 (which tcp6 refers to).
While I have researched this and found : Round Cube Suspicious process ; this tells me how to ignore this process NOT why it should be ignored .
> Questions:
How do I know cpanelroundcube has not been compromised?
Based on the fact I never used to get these messages until recently.
Some clients who use roundcube webmail tell me it takes them literal minutes to load roundcube webmail for their emails. Is there any way to establish Why? and/or if it's related?
I can not generate the same time delay on my own roundcube webmail testing, even on their own email account login's.
I have already put Roundcube onSQLlite. I have already increased the max-children as per Webmail slow after login - php settings perhaps?
> Server Stats:
PHP FPM is turned on but is not used on any accounts.
OS / WHM version
- CENTOS 6.10 hyper-v
- v76.0.15
Last edited by a moderator: