The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious symlink /var/cpanel/userhomes/cpanelhorde/cache/

Discussion in 'Security' started by sonicsam, Mar 17, 2014.

  1. sonicsam

    sonicsam Member

    Joined:
    Apr 5, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    On one server I am getting there alerts from lfd

    Time: Mon Mar 17 08:51:41 2014 +0000
    File: /tmp/magick-9835P9R4q1nt07zi
    Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU)
    Owner: cpanelhorde:cpanelhorde (32002:32002)
    Action: Symlink removed

    and the following which looks related

    Time: Mon Mar 17 08:50:06 2014 +0000
    Account: cpanelhorde
    Resource: Virtual Memory Size
    Exceeded: 163 > 150 (MB)
    Executable: /usr/bin/gs
    Command Line: gs -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pbmraw -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -sOutputFile=/tmp/magick-9835g9FUUa1bKsP9%d -f/tmp/magick-9835ZnLCRVzhvJce -f/tmp/magick-9835P9R4q1nt07zi
    PID: 9838 (Parent PID:9835)
    Killed: No

    I am running 11.42.0.21 and I am assuming this is to do with the security issue

    [security] Fixed case 84385: Arbitrary code execution as cpanel-horde user via cache file poisioning.

    Can I assume then that my install in not vulnerable and ignore these alerts?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A "/tmp/magick" file would typically indicate the use of Imagemagick. Is it installed on your system? Also, I may be misunderstanding the LFD output, but the alert seems to indicate the imagemagick tmp file was symbolically linked to the Horde cache file. Have you checked with support for LFD to verify that?

    Thank you.
     
  3. tuibm

    tuibm Member

    Joined:
    Dec 17, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    Im having the same issue, did you find the cause of this?

    THanks
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The user did not update the thread, but I did send a response (it's the post above yours) that would apply if you notice the same issue. Let me know if that post helps.

    Thank you.
     
  5. markhubert

    markhubert Member

    Joined:
    Jan 7, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    We're getting this warning as well.

    cPanelMichael: I've not been able to find an LFD support... ConfigServ dude has nothing. That said, not really sure what the Login Failure Daemon (LFD) would have to do with suspicious file identification....

    Any other suggestions? I'd really like to get this to stop as it's generating three emails every hour.

    Thanks
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The alert in question stems from LFD, not cPanel. The CSF forums are located here:

    CSF/LFD - Support Forums

    Thank you.
     
  7. markhubert

    markhubert Member

    Joined:
    Jan 7, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    yeah. A search of this the CSF/LFD forum returns nothing.

    thanks
     
  8. pkiff

    pkiff Member

    Joined:
    Jul 31, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Reviving this old thread because I ran into these warning alerts from CSF today, and I think I can add a bit more of an explanation. Like markhubert, I did a search on the CSF/LFD forum and found nothing, so there's no help coming from there, unless you have a paid support version of CSF.

    I believe this alert is simply the result of imagemagick using a lot of memory during a regular image processing job. In my case, the warning appeared when the server was being asked to process an 8MB file, and produce a JPEG, and the virtual memory pushed over 150MB to do it. The error was not associated with the horde user in my case but with a regular user account. Similar jobs on files that were 1-2MB did not exceed that memory limit.

    Now, when this memory burst happens, I think probably imagemagick starts to swap data from memory to disk and THAT probably creates temporary symlinks to temporary files when it does so. My theory is that this is what triggers the CSF/LFD warning. Or maybe it is because the symlinks get created when the files are moved from your temp folder into your file structure, and it is merely the size of the temp file being symlinked that arouses suspicion. I'm not sure.

    To stop these warnings, you can probably configure your CSF/LFD to ignore these files in the tmp directory, though I'm not sure that's a good idea. A better approach might be to change the policies on your imagemagick installation to place additional memory limits on the magick convert processes. I haven't yet tried either of these solutions, so this is just speculation.

    For more information about changing imagemagick policies on memory limits, see:

    Convert uses too much memory
    Convert uses too much memory - ImageMagick

    Policy.xml details on the Customize ImageMagick With Resources page:
    ImageMagick: Resources
     
    #8 pkiff, Nov 21, 2014
    Last edited: Nov 21, 2014
Loading...

Share This Page