Suspicious symlink /var/cpanel/userhomes/cpanelhorde/cache/

[sonicsam]

On one server I am getting there alerts from lfd

Time: Mon Mar 17 08:51:41 2014 +0000
File: /tmp/magick-9835P9R4q1nt07zi
Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU)
Owner: cpanelhorde:cpanelhorde (32002:32002)
Action: Symlink removed

and the following which looks related

Time: Mon Mar 17 08:50:06 2014 +0000
Account: cpanelhorde
Resource: Virtual Memory Size
Exceeded: 163 > 150 (MB)
Executable: /usr/bin/gs
Command Line: gs -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pbmraw -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -sOutputFile=/tmp/magick-9835g9FUUa1bKsP9%d -f/tmp/magick-9835ZnLCRVzhvJce -f/tmp/magick-9835P9R4q1nt07zi
PID: 9838 (Parent PID:9835)
Killed: No

I am running 11.42.0.21 and I am assuming this is to do with the security issue

[security] Fixed case 84385: Arbitrary code execution as cpanel-horde user via cache file poisioning.

Can I assume then that my install in not vulnerable and ignore these alerts?

 

[cPanelMichael]

Time: Mon Mar 17 08:51:41 2014 +0000
File: /tmp/magick-9835P9R4q1nt07zi
Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU)
Owner: cpanelhorde:cpanelhorde (32002:32002)
Action: Symlink removed

A "/tmp/magick" file would typically indicate the use of Imagemagick. Is it installed on your system? Also, I may be misunderstanding the LFD output, but the alert seems to indicate the imagemagick tmp file was symbolically linked to the Horde cache file. Have you checked with support for LFD to verify that?

Thank you.

 

[tuibm]

On one server I am getting there alerts from lfd

Time: Mon Mar 17 08:51:41 2014 +0000
File: /tmp/magick-9835P9R4q1nt07zi
Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU)
Owner: cpanelhorde:cpanelhorde (32002:32002)
Action: Symlink removed

and the following which looks related

Time: Mon Mar 17 08:50:06 2014 +0000
Account: cpanelhorde
Resource: Virtual Memory Size
Exceeded: 163 > 150 (MB)
Executable: /usr/bin/gs
Command Line: gs -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pbmraw -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -sOutputFile=/tmp/magick-9835g9FUUa1bKsP9%d -f/tmp/magick-9835ZnLCRVzhvJce -f/tmp/magick-9835P9R4q1nt07zi
PID: 9838 (Parent PID:9835)
Killed: No

Hello,

Im having the same issue, did you find the cause of this?

THanks

 

[cPanelMichael]

The user did not update the thread, but I did send a response (it's the post above yours) that would apply if you notice the same issue. Let me know if that post helps.

Thank you.

 

[markhubert]

We're getting this warning as well.

cPanelMichael: I've not been able to find an LFD support... ConfigServ dude has nothing. That said, not really sure what the Login Failure Daemon (LFD) would have to do with suspicious file identification....

Any other suggestions? I'd really like to get this to stop as it's generating three emails every hour.

Thanks

 

[cPanelMichael]

That said, not really sure what the Login Failure Daemon (LFD) would have to do with suspicious file identification....

The alert in question stems from LFD, not cPanel. The CSF forums are located here:

CSF/LFD - Support Forums

Thank you.

 

[markhubert]

yeah. A search of this the CSF/LFD forum returns nothing.

thanks

 

[pkiff]

Reviving this old thread because I ran into these warning alerts from CSF today, and I think I can add a bit more of an explanation. Like markhubert, I did a search on the CSF/LFD forum and found nothing, so there's no help coming from there, unless you have a paid support version of CSF.

I believe this alert is simply the result of imagemagick using a lot of memory during a regular image processing job. In my case, the warning appeared when the server was being asked to process an 8MB file, and produce a JPEG, and the virtual memory pushed over 150MB to do it. The error was not associated with the horde user in my case but with a regular user account. Similar jobs on files that were 1-2MB did not exceed that memory limit.

Now, when this memory burst happens, I think probably imagemagick starts to swap data from memory to disk and THAT probably creates temporary symlinks to temporary files when it does so. My theory is that this is what triggers the CSF/LFD warning. Or maybe it is because the symlinks get created when the files are moved from your temp folder into your file structure, and it is merely the size of the temp file being symlinked that arouses suspicion. I'm not sure.

To stop these warnings, you can probably configure your CSF/LFD to ignore these files in the tmp directory, though I'm not sure that's a good idea. A better approach might be to change the policies on your imagemagick installation to place additional memory limits on the magick convert processes. I haven't yet tried either of these solutions, so this is just speculation.

For more information about changing imagemagick policies on memory limits, see:

Convert uses too much memory
Convert uses too much memory - ImageMagick

Policy.xml details on the Customize ImageMagick With Resources page:
ImageMagick: Resources