Hi folks,
I recently had my data center update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of CSF emails a day now indicating Suspicious processes and Excessive Resources all related to webalizer for every account on my box, that I never got before.
My data center is suggesting trying increasing some of the process tracking directives for CSF.
I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.
Wondering if someone could shed some light on this for me? I tried posting the same question on the CSF forums and not a sole will respond.
An example of the daily warnings that I get for each account on the server;
Excessive processes
<snippet>
User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
--------------------------------------------------
Suspicious process
<snippet>
Executable:
/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
Network connections by the process (if any):
udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx
Files open by the process (if any):
/home/domlogs/finsandfurnet
/var/cpanel/locale/en.cdb
/home/finsnet/tmp/webalizer/dns_cache.db
I recently had my data center update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of CSF emails a day now indicating Suspicious processes and Excessive Resources all related to webalizer for every account on my box, that I never got before.
My data center is suggesting trying increasing some of the process tracking directives for CSF.
I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.
Wondering if someone could shed some light on this for me? I tried posting the same question on the CSF forums and not a sole will respond.
An example of the daily warnings that I get for each account on the server;
Excessive processes
<snippet>
User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
--------------------------------------------------
Suspicious process
<snippet>
Executable:
/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
Network connections by the process (if any):
udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx
Files open by the process (if any):
/home/domlogs/finsandfurnet
/var/cpanel/locale/en.cdb
/home/finsnet/tmp/webalizer/dns_cache.db
