The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious processes and Excessive Resources

Discussion in 'General Discussion' started by FnF, Feb 14, 2013.

  1. FnF

    FnF Member

    Joined:
    Jul 21, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi folks,
    I recently had my data center update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of CSF emails a day now indicating Suspicious processes and Excessive Resources all related to webalizer for every account on my box, that I never got before.

    My data center is suggesting trying increasing some of the process tracking directives for CSF.
    I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.

    Wondering if someone could shed some light on this for me? I tried posting the same question on the CSF forums and not a sole will respond.

    An example of the daily warnings that I get for each account on the server;
    Excessive processes
    <snippet>
    User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
    User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet

    --------------------------------------------------

    Suspicious process
    <snippet>
    Executable:

    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english


    Command Line (often faked in exploits):

    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet


    Network connections by the process (if any):

    udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx


    Files open by the process (if any):

    /home/domlogs/finsandfurnet
    /var/cpanel/locale/en.cdb
    /home/finsnet/tmp/webalizer/dns_cache.db
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    put
    exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

    into your csf.pignore
     
  3. FnF

    FnF Member

    Joined:
    Jul 21, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Thanks much dalem, but does that mean it was being ignored before I upgraded Cpanel?
    At the risk of looking like an idiot, my fear is wondering why it's a problem now.
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    You can't ignore something that does not exist, i.e. /usr/local/cpanel/3rdparty/bin/webalizer_lang/english did not exist in earlier version of cPanel/WHM.
     
  5. FnF

    FnF Member

    Joined:
    Jul 21, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Ahhhh :eek:
    That makes perfect sense. Thanks so much, both of you. I appreciate your patience with me.
     
  6. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    yes it should have been exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

    the 11.36.0 changed the webalizer loc

    we got them to
     
  7. southbay

    southbay Member

    Joined:
    Aug 17, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I have begun receiving the same alerts from lfd & found this thread. Attempting to follow the suggestion of inserting exe:/usr/local/cpanel/3rdparty/bin/english/webalizer in the csf.pignore file, but that line already exists! Now what?
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What exactly does your email say?
     
  9. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    Shouldn't it be:
    exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
    instead of:
    exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
     
  10. southbay

    southbay Member

    Joined:
    Aug 17, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Time: Thu Mar 14 05:18:11 2013 -0700
    PID: 1842 (Parent PID:1836)
    Account: xxxxxxx
    Uptime: 48 seconds


    Executable:

    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english


    Code:
    Command Line (often faked in exploits):
    
    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/xxxxxx/tmp/webalizer/dns_cache.db -R 250 -p -n xxxxxx.com -o /home/xxxxx/tmp/webalizer /usr/local/apache/domlogs/xxxxxx.com.bkup
    
    
    Network connections by the process (if any):
    
    udp: xx.xxx.xxx.xx:34745 -> xxx.xx.xxx.xx:53
    
    
    Files open by the process (if any):
    
    /usr/local/apache/domlogs/xxxxxx.com.bkup
    /var/cpanel/locale/en.cdb
    /home/xxxxxx/tmp/webalizer/dns_cache.db
    
    
    Memory maps by the process (if any):
    
    00110000-00121000 r-xp 00000000 ca:05 2000957    /lib/libresolv-2.5.so
    00121000-00122000 r--p 00010000 ca:05 2000957    /lib/libresolv-2.5.so
    00122000-00123000 rw-p 00011000 ca:05 2000957    /lib/libresolv-2.5.so
    00123000-00125000 rw-p 00123000 00:00 0 
    001d7000-001f2000 r-xp 00000000 ca:05 1998919    /lib/ld-2.5.so
    001f2000-001f3000 r--p 0001a000 ca:05 1998919    /lib/ld-2.5.so
    001f3000-001f4000 rw-p 0001b000 ca:05 1998919    /lib/ld-2.5.so
    001f4000-002e9000 r-xp 00000000 ca:05 2000641    /lib/libdb-4.3.so
    002e9000-002ec000 rw-p 000f4000 ca:05 2000641    /lib/libdb-4.3.so
    00358000-0035b000 r-xp 00000000 ca:05 1999100    /lib/libdl-2.5.so
    0035b000-0035c000 r--p 00002000 ca:05 1999100    /lib/libdl-2.5.so
    0035c000-0035d000 rw-p 00003000 ca:05 1999100    /lib/libdl-2.5.so
    0035f000-00375000 r-xp 00000000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
    00375000-00376000 r--p 00015000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
    00376000-00377000 rw-p 00016000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
    00377000-00379000 rw-p 00377000 00:00 0 
    0037b000-003a2000 r-xp 00000000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
    003a2000-003a3000 r--p 00026000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
    003a3000-003a4000 rw-p 00027000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
    003a6000-003b8000 r-xp 00000000 ca:05 1999091    /lib/libz.so.1.2.3
    003b8000-003b9000 rw-p 00011000 ca:05 1999091    /lib/libz.so.1.2.3
    003b9000-00513000 r-xp 00000000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
    00513000-00515000 r--p 0015a000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
    00515000-00516000 rw-p 0015c000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
    00516000-00519000 rw-p 00516000 00:00 0 
    00535000-00536000 r-xp 00535000 00:00 0          [vdso]
    00572000-00591000 r-xp 00000000 ca:05 1999095    /lib/libexpat.so.0.5.0
    00591000-00593000 rw-p 0001f000 ca:05 1999095    /lib/libexpat.so.0.5.0
    005b8000-005c2000 r-xp 00000000 ca:05 2000599    /lib/libnss_files-2.5.so
    005c2000-005c3000 r--p 00009000 ca:05 2000599    /lib/libnss_files-2.5.so
    005c3000-005c4000 rw-p 0000a000 ca:05 2000599    /lib/libnss_files-2.5.so
    00617000-00638000 r-xp 00000000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
    00638000-00639000 rw-p 00020000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
    0066c000-00671000 r-xp 00000000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
    00671000-00672000 rw-p 00004000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
    00674000-00676000 r-xp 00000000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
    00676000-00677000 rw-p 00001000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
    00679000-00689000 r-xp 00000000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
    00689000-0068a000 rw-p 00010000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
    006be000-006dd000 r-xp 00000000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
    006dd000-006fd000 rw-p 0001e000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
    006fd000-00711000 rw-p 006fd000 00:00 0 
    007b3000-007da000 r-xp 00000000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
    007da000-007e2000 rw-p 00027000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
    0088b000-00908000 r-xp 00000000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
    00908000-0090b000 rw-p 0007d000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
    00940000-00a3f000 r-xp 00000000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
    00a3f000-00a43000 rw-p 000ff000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
    00a80000-00aa5000 r-xp 00000000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
    00aa5000-00aa6000 rw-p 00024000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
    00ab2000-00ab6000 r-xp 00000000 ca:05 1999732    /lib/libnss_dns-2.5.so
    00ab6000-00ab7000 r--p 00003000 ca:05 1999732    /lib/libnss_dns-2.5.so
    00ab7000-00ab8000 rw-p 00004000 ca:05 1999732    /lib/libnss_dns-2.5.so
    08048000-0806c000 r-xp 00000000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
    0806c000-08070000 rw-p 00024000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
    08070000-0809b000 rw-p 08070000 00:00 0 
    0822e000-082b3000 rw-p 0822e000 00:00 0 
    b7f77000-b7f7c000 rw-p b7f77000 00:00 0 
    b7f82000-b7f85000 rw-p b7f82000 00:00 0 
    bf82d000-bf842000 rw-p bffe9000 00:00 0          [stack]
     
  11. southbay

    southbay Member

    Joined:
    Aug 17, 2011
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I don't know..what do you think?
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Yes, I think it should be.
     
Loading...

Share This Page