Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

/usr/local/cpanel/3rdparty/sbin/p0f

Discussion in 'General Discussion' started by MaRiOsGR66, Jun 27, 2015.

  1. MaRiOsGR66

    MaRiOsGR66 Well-Known Member

    Joined:
    Feb 18, 2011
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    today I found this running on the server:

    378784 cpanelco 20 0 16580 8676 4484 S 2.3 0.0 28:16.37 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel

    Code:
    root@[~]# lsof -p 378784
    COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
    p0f  378784 cpanelconnecttrack  cwd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
    p0f  378784 cpanelconnecttrack  rtd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
    p0f  378784 cpanelconnecttrack  txt  REG  9,2  358547  21892593 /usr/local/cpanel/3rdparty/sbin/p0f
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  65928  90964499 /lib64/libnss_files-2.12.so
    p0f  378784 cpanelconnecttrack  mem  REG  0,6  1779738079 socket:[1779738079] (stat: No such file or directory)
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  1921176  90964216 /lib64/libc-2.12.so
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  258504  20729763 /usr/lib64/libpcap.so.1.4.0
    p0f  378784 cpanelconnecttrack  mem  REG  9,2  154528  90964208 /lib64/ld-2.12.so
    p0f  378784 cpanelconnecttrack  0r  CHR  1,3  0t0  4038 /dev/null
    p0f  378784 cpanelconnecttrack  1w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
    p0f  378784 cpanelconnecttrack  2w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
    p0f  378784 cpanelconnecttrack  3u  pack  1779738079  0t0  ALL type=SOCK_DGRAM
    p0f  378784 cpanelconnecttrack  4u  unix 0xffff88095d913c80  0t0 1779738088 /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket
    
    
    is this something that comes from cPanel or should I be worried ?
     
    #1 MaRiOsGR66, Jun 27, 2015
    Last edited by a moderator: Jun 27, 2015
  2. 24x7ss

    24x7ss Well-Known Member

    Joined:
    Sep 30, 2014
    Messages:
    271
    Likes Received:
    16
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    That looks suspicious to me. Can you check the stat on that binary and run below command and past output:

    rpm -qf /usr/local/cpanel/3rdparty/sbin/p0f
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,342
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice