The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user ****

Discussion in 'Security' started by Megadola, Apr 15, 2015.

  1. Megadola

    Megadola Registered

    Joined:
    Sep 30, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Could you please help: i'm Getting a lot of emails like this:
    --
    Time[/B]: Wed Apr 15 08:31:45 2015 +0200
    PID: 21586 (Parent PID:28155)
    Account: *****
    Uptime: 24683 seconds


    Executable:

    /usr/local/cpanel/3rdparty/perl/514/bin/perl


    Command Line (often faked in exploits):

    spamd child

    - Snipped -
     
    #1 Megadola, Apr 15, 2015
    Last edited by a moderator: Apr 15, 2015
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm guessing that SpamAssasin has done an update, and hasn't refreshed correctly due to running files.
    Restarting spamd has fixed this issue for me in the past.

    From a console try the following

    /scripts/restartsrv_spamd

    Then restart exim

    /etc/rc.d/init.d/exim restart
     
  3. Megadola

    Megadola Registered

    Joined:
    Sep 30, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    i got this:
    /usr/local/cpanel/scripts/update_sa_rules: running in background
    upload_2015-4-15_14-24-5.png
     
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    That's what I get also.
    Keep an eye on your logs and see if the spamd errors have now subsided
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is a common occurrence. You will find several threads on this topic by searching for "spamd lfd" on our forums or by searching for "LFD spamd site:forums.cpanel.net" on Google. Please keep in mind that LFD is developed by ConfigServer, so their forums are often a better resource.

    Thank you.
     
  6. Ravidev

    Ravidev Registered

    Joined:
    May 13, 2015
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    I am getting mails like this

    Time: Thu May 14 02:47:05 2015 +0530
    PID: 14548 (Parent PID:14547)
    Account: exlmart
    Uptime: 62 seconds


    Executable:

    /usr/bin/php


    Command Line (often faked in exploits):

    /usr/bin/php /home/exlmart/public_html/index.php


    Network connections by the process (if any):

    tcp: 72.55.164.248:44832 -> 103.21.59.28:80
     
  7. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    621
    Likes Received:
    6
    Trophy Points:
    18
    Ravidev: i think your email subject is also Suspicious process found.
    And i think that this: "Uptime: 62 seconds"
    tells where to look. It probably means you set in configserver firewall configuration that CSF should report processes runing more than 60 seconds.. Look into CSF configuration and i think option you are looking to se to zero to disable this process watching is "PT_LIMIT". Not sure if its good idea to disable this process watching, maybe better to somehow discover why scripts on that account takes so long to complete. You may lookup that cpanel acocunt scripts if not in WHM » Server Status » Daily Process Log
     
Loading...

Share This Page