/usr/local/cpanel/3rdparty/sbin/p0f

MaRiOsGR66

Well-Known Member
Feb 18, 2011
111
1
68
cPanel Access Level
Root Administrator
today I found this running on the server:

378784 cpanelco 20 0 16580 8676 4484 S 2.3 0.0 28:16.37 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel

Code:
[email protected][~]# lsof -p 378784
COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
p0f  378784 cpanelconnecttrack  cwd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
p0f  378784 cpanelconnecttrack  rtd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
p0f  378784 cpanelconnecttrack  txt  REG  9,2  358547  21892593 /usr/local/cpanel/3rdparty/sbin/p0f
p0f  378784 cpanelconnecttrack  mem  REG  9,2  65928  90964499 /lib64/libnss_files-2.12.so
p0f  378784 cpanelconnecttrack  mem  REG  0,6  1779738079 socket:[1779738079] (stat: No such file or directory)
p0f  378784 cpanelconnecttrack  mem  REG  9,2  1921176  90964216 /lib64/libc-2.12.so
p0f  378784 cpanelconnecttrack  mem  REG  9,2  258504  20729763 /usr/lib64/libpcap.so.1.4.0
p0f  378784 cpanelconnecttrack  mem  REG  9,2  154528  90964208 /lib64/ld-2.12.so
p0f  378784 cpanelconnecttrack  0r  CHR  1,3  0t0  4038 /dev/null
p0f  378784 cpanelconnecttrack  1w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
p0f  378784 cpanelconnecttrack  2w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
p0f  378784 cpanelconnecttrack  3u  pack  1779738079  0t0  ALL type=SOCK_DGRAM
p0f  378784 cpanelconnecttrack  4u  unix 0xffff88095d913c80  0t0 1779738088 /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket
is this something that comes from cPanel or should I be worried ?
 
Last edited by a moderator:

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
Hello,

That looks suspicious to me. Can you check the stat on that binary and run below command and past output:

rpm -qf /usr/local/cpanel/3rdparty/sbin/p0f