Suspicious processes and Excessive Resources

FnF · Feb 14, 2013

Hi folks,
I recently had my data center update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of CSF emails a day now indicating Suspicious processes and Excessive Resources all related to webalizer for every account on my box, that I never got before.

My data center is suggesting trying increasing some of the process tracking directives for CSF.
I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.

Wondering if someone could shed some light on this for me? I tried posting the same question on the CSF forums and not a sole will respond.

An example of the daily warnings that I get for each account on the server;
Excessive processes
<snippet>
User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet

--------------------------------------------------

Suspicious process
<snippet>
Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet

Network connections by the process (if any):

udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx

Files open by the process (if any):

/home/domlogs/finsandfurnet
/var/cpanel/locale/en.cdb
/home/finsnet/tmp/webalizer/dns_cache.db

dalem · Feb 14, 2013

put
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

into your csf.pignore

FnF · Feb 14, 2013

Thanks much dalem, but does that mean it was being ignored before I upgraded Cpanel?
At the risk of looking like an idiot, my fear is wondering why it's a problem now.

quietFinn · Feb 14, 2013

You can't ignore something that does not exist, i.e. /usr/local/cpanel/3rdparty/bin/webalizer_lang/english did not exist in earlier version of cPanel/WHM.

FnF · Feb 14, 2013

Ahhhh
That makes perfect sense. Thanks so much, both of you. I appreciate your patience with me.

dalem · Feb 15, 2013

yes it should have been exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

the 11.36.0 changed the webalizer loc

we got them to

southbay · Mar 14, 2013

I have begun receiving the same alerts from lfd & found this thread. Attempting to follow the suggestion of inserting exe:/usr/local/cpanel/3rdparty/bin/english/webalizer in the csf.pignore file, but that line already exists! Now what?

Infopro · Mar 14, 2013

What exactly does your email say?

quietFinn · Mar 14, 2013

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

southbay · Mar 14, 2013

Time: Thu Mar 14 05:18:11 2013 -0700
PID: 1842 (Parent PID:1836)
Account: xxxxxxx
Uptime: 48 seconds

Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

Code:

Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/xxxxxx/tmp/webalizer/dns_cache.db -R 250 -p -n xxxxxx.com -o /home/xxxxx/tmp/webalizer /usr/local/apache/domlogs/xxxxxx.com.bkup


Network connections by the process (if any):

udp: xx.xxx.xxx.xx:34745 -> xxx.xx.xxx.xx:53


Files open by the process (if any):

/usr/local/apache/domlogs/xxxxxx.com.bkup
/var/cpanel/locale/en.cdb
/home/xxxxxx/tmp/webalizer/dns_cache.db


Memory maps by the process (if any):

00110000-00121000 r-xp 00000000 ca:05 2000957    /lib/libresolv-2.5.so
00121000-00122000 r--p 00010000 ca:05 2000957    /lib/libresolv-2.5.so
00122000-00123000 rw-p 00011000 ca:05 2000957    /lib/libresolv-2.5.so
00123000-00125000 rw-p 00123000 00:00 0 
001d7000-001f2000 r-xp 00000000 ca:05 1998919    /lib/ld-2.5.so
001f2000-001f3000 r--p 0001a000 ca:05 1998919    /lib/ld-2.5.so
001f3000-001f4000 rw-p 0001b000 ca:05 1998919    /lib/ld-2.5.so
001f4000-002e9000 r-xp 00000000 ca:05 2000641    /lib/libdb-4.3.so
002e9000-002ec000 rw-p 000f4000 ca:05 2000641    /lib/libdb-4.3.so
00358000-0035b000 r-xp 00000000 ca:05 1999100    /lib/libdl-2.5.so
0035b000-0035c000 r--p 00002000 ca:05 1999100    /lib/libdl-2.5.so
0035c000-0035d000 rw-p 00003000 ca:05 1999100    /lib/libdl-2.5.so
0035f000-00375000 r-xp 00000000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00375000-00376000 r--p 00015000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00376000-00377000 rw-p 00016000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00377000-00379000 rw-p 00377000 00:00 0 
0037b000-003a2000 r-xp 00000000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a2000-003a3000 r--p 00026000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a3000-003a4000 rw-p 00027000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a6000-003b8000 r-xp 00000000 ca:05 1999091    /lib/libz.so.1.2.3
003b8000-003b9000 rw-p 00011000 ca:05 1999091    /lib/libz.so.1.2.3
003b9000-00513000 r-xp 00000000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00513000-00515000 r--p 0015a000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00515000-00516000 rw-p 0015c000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00516000-00519000 rw-p 00516000 00:00 0 
00535000-00536000 r-xp 00535000 00:00 0          [vdso]
00572000-00591000 r-xp 00000000 ca:05 1999095    /lib/libexpat.so.0.5.0
00591000-00593000 rw-p 0001f000 ca:05 1999095    /lib/libexpat.so.0.5.0
005b8000-005c2000 r-xp 00000000 ca:05 2000599    /lib/libnss_files-2.5.so
005c2000-005c3000 r--p 00009000 ca:05 2000599    /lib/libnss_files-2.5.so
005c3000-005c4000 rw-p 0000a000 ca:05 2000599    /lib/libnss_files-2.5.so
00617000-00638000 r-xp 00000000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
00638000-00639000 rw-p 00020000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
0066c000-00671000 r-xp 00000000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
00671000-00672000 rw-p 00004000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
00674000-00676000 r-xp 00000000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
00676000-00677000 rw-p 00001000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
00679000-00689000 r-xp 00000000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
00689000-0068a000 rw-p 00010000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
006be000-006dd000 r-xp 00000000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
006dd000-006fd000 rw-p 0001e000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
006fd000-00711000 rw-p 006fd000 00:00 0 
007b3000-007da000 r-xp 00000000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
007da000-007e2000 rw-p 00027000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
0088b000-00908000 r-xp 00000000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
00908000-0090b000 rw-p 0007d000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
00940000-00a3f000 r-xp 00000000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
00a3f000-00a43000 rw-p 000ff000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
00a80000-00aa5000 r-xp 00000000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
00aa5000-00aa6000 rw-p 00024000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
00ab2000-00ab6000 r-xp 00000000 ca:05 1999732    /lib/libnss_dns-2.5.so
00ab6000-00ab7000 r--p 00003000 ca:05 1999732    /lib/libnss_dns-2.5.so
00ab7000-00ab8000 rw-p 00004000 ca:05 1999732    /lib/libnss_dns-2.5.so
08048000-0806c000 r-xp 00000000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
0806c000-08070000 rw-p 00024000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
08070000-0809b000 rw-p 08070000 00:00 0 
0822e000-082b3000 rw-p 0822e000 00:00 0 
b7f77000-b7f7c000 rw-p b7f77000 00:00 0 
b7f82000-b7f85000 rw-p b7f82000 00:00 0 
bf82d000-bf842000 rw-p bffe9000 00:00 0          [stack]

southbay · Mar 14, 2013

quietFinn said: ↑

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
Click to expand...

I don't know..what do you think?

Infopro · Mar 14, 2013

quietFinn said: ↑

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
Click to expand...

southbay said: ↑

Time: Thu Mar 14 05:18:11 2013 -0700
PID: 1842 (Parent PID:1836)
Account: xxxxxxx
Uptime: 48 seconds

Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

....
Click to expand...

Yes, I think it should be.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious processes and Excessive Resources

FnF Member

dalem Well-Known Member
PartnerNOC

FnF Member

quietFinn Well-Known Member

FnF Member

dalem Well-Known Member
PartnerNOC

southbay Member

Infopro cPanel Sr. Product Evangelist
Staff Member

quietFinn Well-Known Member

southbay Member

southbay Member

Infopro cPanel Sr. Product Evangelist
Staff Member

suspicious processes question

Suspicious process running under user

Suspicious bot Cpanel-HTTP-Client hitting our server

Suspicious process running under

How to disable send an email: lfd on server: Suspicious process running under user

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious processes and Excessive Resources

FnF Member

dalem Well-Known Member PartnerNOC

FnF Member

quietFinn Well-Known Member

FnF Member

dalem Well-Known Member PartnerNOC

southbay Member

Infopro cPanel Sr. Product Evangelist Staff Member

quietFinn Well-Known Member

southbay Member

southbay Member

Infopro cPanel Sr. Product Evangelist Staff Member

suspicious processes question

Suspicious process running under user

Suspicious bot Cpanel-HTTP-Client hitting our server

Suspicious process running under

How to disable send an email: lfd on server: Suspicious process running under user

Share This Page

dalem Well-Known Member
PartnerNOC

dalem Well-Known Member
PartnerNOC

Infopro cPanel Sr. Product Evangelist
Staff Member

Infopro cPanel Sr. Product Evangelist
Staff Member