The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/usr/local/cpanel/3rdparty/sbin/p0f

Discussion in 'General Discussion' started by MaRiOsGR66, Jun 27, 2015.

  1. MaRiOsGR66

    MaRiOsGR66 Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    92
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    today I found this running on the server:

    378784 cpanelco 20 0 16580 8676 4484 S 2.3 0.0 28:16.37 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel

    Code:
    root@[~]# lsof -p 378784
    COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
    p0f  378784 cpanelconnecttrack  cwd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
    p0f  378784 cpanelconnecttrack  rtd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
    p0f  378784 cpanelconnecttrack  txt  REG  9,2  358547  21892593 /usr/local/cpanel/3rdparty/sbin/p0f
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  65928  90964499 /lib64/libnss_files-2.12.so
    p0f  378784 cpanelconnecttrack  mem  REG  0,6  1779738079 socket:[1779738079] (stat: No such file or directory)
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  1921176  90964216 /lib64/libc-2.12.so
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  258504  20729763 /usr/lib64/libpcap.so.1.4.0
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  154528  90964208 /lib64/ld-2.12.so
    p0f  378784 cpanelconnecttrack  0r  CHR  1,3  0t0  4038 /dev/null
    p0f  378784 cpanelconnecttrack  1w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
    p0f  378784 cpanelconnecttrack  2w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
    p0f  378784 cpanelconnecttrack  3u  pack  1779738079  0t0  ALL type=SOCK_DGRAM
    p0f  378784 cpanelconnecttrack  4u  unix 0xffff88095d913c80  0t0 1779738088 /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket
    
    
    is this something that comes from cPanel or should I be worried ?
     
    #1 MaRiOsGR66, Jun 27, 2015
    Last edited by a moderator: Jun 27, 2015
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    That looks suspicious to me. Can you check the stat on that binary and run below command and past output:

    rpm -qf /usr/local/cpanel/3rdparty/sbin/p0f
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,461
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page