Suspicious process running under user cpanelroundcube

[martin MHC]

I never used to receive these notifications.
I now receive regular admin' emails stating:

==========
Time: Tue Jan 15 14:44:30 2019 +0000
Account: cpanelroundcube
Uptime: 194 seconds


Executable:

/usr/local/cpanel/3rdparty/php/72/sbin/php-fpm

Command Line (often faked in exploits):

php-fpm: pool cpanelroundcube


Network connections by the process (if any):

tcp6: 0:0:0:0:0:0:0:1:33530 -> 0:0:0:0:0:0:0:1:587

Files open by the process (if any):

/usr/local/cpanel/base/3rdparty/roundcube/plugins

....

==========
Roundcube should not even be trying to access this port as it is insecure SMTP port and should always be dropped in favour of the secured port 465.
Also, being in the UK we do not use IPv6 (which tcp6 refers to).


While I have researched this and found : Round Cube Suspicious process ; this tells me how to ignore this process NOT why it should be ignored .

> Questions:

How do I know cpanelroundcube has not been compromised?
Based on the fact I never used to get these messages until recently.

Some clients who use roundcube webmail tell me it takes them literal minutes to load roundcube webmail for their emails. Is there any way to establish Why? and/or if it's related?
I can not generate the same time delay on my own roundcube webmail testing, even on their own email account login's.

I have already put Roundcube onSQLlite. I have already increased the max-children as per Webmail slow after login - php settings perhaps?

> Server Stats:

PHP FPM is turned on but is not used on any accounts.

OS / WHM version

• CENTOS 6.10 hyper-v
• v76.0.15

 

[rpvw]

Hi @martin MHC

I shall try to put your mind at rest

PHP FPM is turned on but is not used on any accounts.

I believe that PHP-FPM is also used by cPanels own internal web server/PHP processes(which is a separate and distinct service to the Apache/PHP processes used by the clients), and as such, you don't have any control over it.

How do I know cpanelroundcube has not been compromised?
Based on the fact I never used to get these messages until recently.

The message you are getting actually refers to the php-fpm process that roundcube is calling as a normal part of its PHP script execution. Your cPanel internal default PHP is 7.2 (I think since cPanel v76) and I believe it now uses php-fpm as the internal Handler instead of the php-cgi handler that the article you refer to states.

Some clients who use roundcube webmail tell me it takes them literal minutes to load roundcube webmail for their emails. Is there any way to establish Why? and/or if it's related?
I can not generate the same time delay on my own roundcube webmail testing, even on their own email account login's.

Lots of things, of course, that can influence this - connection speed, traffic bottlenecks, speed of clients hardware/software etc etc

The fact that you can't replicate it does indicate there is not anything terribly wrong. You might like to have a look at Tweak Settings >
Max cPanel process memory (Minimum: 768)
The maximum memory a cPanel process can use before it is killed off. This settings minimum value depends on the number of cPanel accounts on the system.

If you don't have a memory constraint, you could try allocating a little more to this setting, and see if it improves your clients experience any.

I really don't know why CSF/LFD insists in flagging all the PHP-FPM process as being a threat - although a malicious script could trigger an excessive use of the FPM resources.

You can safely add the following regex to your /etc/csf/csf.pignore file

pexe:/usr/local/cpanel/3rdparty/php/.*/sbin/php-fpm

which will stop the false notifications, irrespective what internal PHP version cPanel installs.

I hope this helps

 

[martin MHC]

Many thanks for your feedback, rpvw. It is appreciated.

I should have clarified -- while I know there are a host of possible issues that cause a slow load of roundcube; working with the client we estabished it is not their ISP/ net connection, not their browser and not their cache. I will check out the memory setting as suggested.

My query comes more from the _change_ in action -- that these warning notices didn't occur before and now are regular. I don't believe the system is compromised but I do think something has changed and was curious as to find out what, without simply ignoring the issue.

Cheers

 

[rpvw]

The change may have been the action of upgrading WHM/cPanel to version 76 which installed the cPanel internal PHP version 7.2/PHP-FPM handler (I seem to remember cPanel used to use PHP5.6 and PHP-CGI in previous builds).

The false trigger of the LFD mail will only happen if the internal FPM process uses more time/resources than LFD is configured to look for. If a user suddenly changes from say pop to IMAP and/or starts having a significantly higher number of mails files to read, the FPM process would be strained and the LFD trigger may fire.

You might want to review what CSF/LFD settings you have that relate to the length of time a PHP script is permitted to run for before triggering a warning (PT_USERTIME), and/or what memory the process is permitted to use before warning (PT_USERMEM) - in fact; review all of the PT_ section carefully

***EDIT***

Have a look in your /etc/csf/csf.pignore file and look for an entry that looks anything like

exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi

If you find an entry that looks anything like that, it may have been ignoring the processes under the old PHP/CGI already, and now you have a new PHP/FPM it is obviously not being blocked.

 

[martin MHC]

Many thanks for your help here. I did indeed find that the CGI PHP was being exempt but not the newer FPM PHP .

 

[cPanelLauren]

Great advice @rpvw


I also want to note a good clue as to whether or not a process is malicious or not is to look at what it's got open. If it's got a bunch of unusual processes open then yes, be suspicious. In this case though looking at what's open:

Files open by the process (if any):

/usr/local/cpanel/base/3rdparty/roundcube/plugins

It appears to be legitimate, this is a normal roundcube process. I'd be alarmed if it had something unrelated to roundcube, in somewhere like tmp.

 

[martin MHC]

@cPanelLauren true, I was aware that in this specific instance this was probably not a malicious process; I was looking more at why this instance should be ignored

 

[cPanelLauren]

Hi @martin MHC


Port 587 is not an insecure port, while it can be used for unencrypted connections it's used widely for STARTTLS. If anything I'd prefer 587 over 465 at this juncture though both are commonly used. Some really interesting information/discussion on port differences as well as relevancy can be found here: What is the difference between ports 465 and 587?

Thanks!