Suspicious processes and Excessive Resources

[FnF]

Hi folks,
I recently had my data center update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of CSF emails a day now indicating Suspicious processes and Excessive Resources all related to webalizer for every account on my box, that I never got before.

My data center is suggesting trying increasing some of the process tracking directives for CSF.
I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.

Wondering if someone could shed some light on this for me? I tried posting the same question on the CSF forums and not a sole will respond.

An example of the daily warnings that I get for each account on the server;
Excessive processes
<snippet>
User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet

--------------------------------------------------

Suspicious process
<snippet>
Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet


Network connections by the process (if any):

udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx


Files open by the process (if any):

/home/domlogs/finsandfurnet
/var/cpanel/locale/en.cdb
/home/finsnet/tmp/webalizer/dns_cache.db

 

[dalem]

put
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

into your csf.pignore

 

[FnF]

Thanks much dalem, but does that mean it was being ignored before I upgraded Cpanel?
At the risk of looking like an idiot, my fear is wondering why it's a problem now.

 

[quietFinn]

You can't ignore something that does not exist, i.e. /usr/local/cpanel/3rdparty/bin/webalizer_lang/english did not exist in earlier version of cPanel/WHM.

 

[FnF]

Ahhhh
That makes perfect sense. Thanks so much, both of you. I appreciate your patience with me.

 

[dalem]

yes it should have been exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

the 11.36.0 changed the webalizer loc

we got them to

 

[southbay]

I have begun receiving the same alerts from lfd & found this thread. Attempting to follow the suggestion of inserting exe:/usr/local/cpanel/3rdparty/bin/english/webalizer in the csf.pignore file, but that line already exists! Now what?

 

[Infopro]

What exactly does your email say?

 

[quietFinn]

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

 

[southbay]

Time: Thu Mar 14 05:18:11 2013 -0700
PID: 1842 (Parent PID:1836)
Account: xxxxxxx
Uptime: 48 seconds


Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/xxxxxx/tmp/webalizer/dns_cache.db -R 250 -p -n xxxxxx.com -o /home/xxxxx/tmp/webalizer /usr/local/apache/domlogs/xxxxxx.com.bkup


Network connections by the process (if any):

udp: xx.xxx.xxx.xx:34745 -> xxx.xx.xxx.xx:53


Files open by the process (if any):

/usr/local/apache/domlogs/xxxxxx.com.bkup
/var/cpanel/locale/en.cdb
/home/xxxxxx/tmp/webalizer/dns_cache.db


Memory maps by the process (if any):

00110000-00121000 r-xp 00000000 ca:05 2000957    /lib/libresolv-2.5.so
00121000-00122000 r--p 00010000 ca:05 2000957    /lib/libresolv-2.5.so
00122000-00123000 rw-p 00011000 ca:05 2000957    /lib/libresolv-2.5.so
00123000-00125000 rw-p 00123000 00:00 0 
001d7000-001f2000 r-xp 00000000 ca:05 1998919    /lib/ld-2.5.so
001f2000-001f3000 r--p 0001a000 ca:05 1998919    /lib/ld-2.5.so
001f3000-001f4000 rw-p 0001b000 ca:05 1998919    /lib/ld-2.5.so
001f4000-002e9000 r-xp 00000000 ca:05 2000641    /lib/libdb-4.3.so
002e9000-002ec000 rw-p 000f4000 ca:05 2000641    /lib/libdb-4.3.so
00358000-0035b000 r-xp 00000000 ca:05 1999100    /lib/libdl-2.5.so
0035b000-0035c000 r--p 00002000 ca:05 1999100    /lib/libdl-2.5.so
0035c000-0035d000 rw-p 00003000 ca:05 1999100    /lib/libdl-2.5.so
0035f000-00375000 r-xp 00000000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00375000-00376000 r--p 00015000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00376000-00377000 rw-p 00016000 ca:05 2000960    /lib/i686/nosegneg/libpthread-2.5.so
00377000-00379000 rw-p 00377000 00:00 0 
0037b000-003a2000 r-xp 00000000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a2000-003a3000 r--p 00026000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a3000-003a4000 rw-p 00027000 ca:05 1999080    /lib/i686/nosegneg/libm-2.5.so
003a6000-003b8000 r-xp 00000000 ca:05 1999091    /lib/libz.so.1.2.3
003b8000-003b9000 rw-p 00011000 ca:05 1999091    /lib/libz.so.1.2.3
003b9000-00513000 r-xp 00000000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00513000-00515000 r--p 0015a000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00515000-00516000 rw-p 0015c000 ca:05 1999067    /lib/i686/nosegneg/libc-2.5.so
00516000-00519000 rw-p 00516000 00:00 0 
00535000-00536000 r-xp 00535000 00:00 0          [vdso]
00572000-00591000 r-xp 00000000 ca:05 1999095    /lib/libexpat.so.0.5.0
00591000-00593000 rw-p 0001f000 ca:05 1999095    /lib/libexpat.so.0.5.0
005b8000-005c2000 r-xp 00000000 ca:05 2000599    /lib/libnss_files-2.5.so
005c2000-005c3000 r--p 00009000 ca:05 2000599    /lib/libnss_files-2.5.so
005c3000-005c4000 rw-p 0000a000 ca:05 2000599    /lib/libnss_files-2.5.so
00617000-00638000 r-xp 00000000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
00638000-00639000 rw-p 00020000 ca:05 4163259    /usr/lib/libjpeg.so.62.0.0
0066c000-00671000 r-xp 00000000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
00671000-00672000 rw-p 00004000 ca:05 4163303    /usr/lib/libXdmcp.so.6.0.0
00674000-00676000 r-xp 00000000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
00676000-00677000 rw-p 00001000 ca:05 4163209    /usr/lib/libXau.so.6.0.0
00679000-00689000 r-xp 00000000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
00689000-0068a000 rw-p 00010000 ca:05 4163246    /usr/lib/libXpm.so.4.11.0
006be000-006dd000 r-xp 00000000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
006dd000-006fd000 rw-p 0001e000 ca:05 4164452    /usr/lib/libgd.so.2.0.0
006fd000-00711000 rw-p 006fd000 00:00 0 
007b3000-007da000 r-xp 00000000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
007da000-007e2000 rw-p 00027000 ca:05 4163646    /usr/lib/libfontconfig.so.1.1.0
0088b000-00908000 r-xp 00000000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
00908000-0090b000 rw-p 0007d000 ca:05 4164173    /usr/lib/libfreetype.so.6.3.10
00940000-00a3f000 r-xp 00000000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
00a3f000-00a43000 rw-p 000ff000 ca:05 4163366    /usr/lib/libX11.so.6.2.0
00a80000-00aa5000 r-xp 00000000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
00aa5000-00aa6000 rw-p 00024000 ca:05 4163186    /usr/lib/libpng12.so.0.10.0
00ab2000-00ab6000 r-xp 00000000 ca:05 1999732    /lib/libnss_dns-2.5.so
00ab6000-00ab7000 r--p 00003000 ca:05 1999732    /lib/libnss_dns-2.5.so
00ab7000-00ab8000 rw-p 00004000 ca:05 1999732    /lib/libnss_dns-2.5.so
08048000-0806c000 r-xp 00000000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
0806c000-08070000 rw-p 00024000 ca:05 4622335    /usr/local/cpanel/3rdparty/bin/webalizer_lang/english
08070000-0809b000 rw-p 08070000 00:00 0 
0822e000-082b3000 rw-p 0822e000 00:00 0 
b7f77000-b7f7c000 rw-p b7f77000 00:00 0 
b7f82000-b7f85000 rw-p b7f82000 00:00 0 
bf82d000-bf842000 rw-p bffe9000 00:00 0          [stack]

 

[southbay]

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

I don't know..what do you think?

 

[Infopro]

Shouldn't it be:
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english
instead of:
exe:/usr/local/cpanel/3rdparty/bin/english/webalizer

Time: Thu Mar 14 05:18:11 2013 -0700
PID: 1842 (Parent PID:1836)
Account: xxxxxxx
Uptime: 48 seconds


Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english


....

Yes, I think it should be.