/usr/local/cpanel/3rdparty/sbin/p0f

[MaRiOsGR66]

today I found this running on the server:

378784 cpanelco 20 0 16580 8676 4484 S 2.3 0.0 28:16.37 /usr/local/cpanel/3rdparty/sbin/p0f -i any -u cpanelconnecttrack -d -s /var/cpanel

[email protected][~]# lsof -p 378784
COMMAND  PID  USER  FD  TYPE  DEVICE SIZE/OFF  NODE NAME
p0f  378784 cpanelconnecttrack  cwd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
p0f  378784 cpanelconnecttrack  rtd  DIR  9,2  4096  29764466 /var/cpanel/userhomes/cpanelconnecttrack
p0f  378784 cpanelconnecttrack  txt  REG  9,2  358547  21892593 /usr/local/cpanel/3rdparty/sbin/p0f
p0f  378784 cpanelconnecttrack  mem  REG  9,2  65928  90964499 /lib64/libnss_files-2.12.so
p0f  378784 cpanelconnecttrack  mem  REG  0,6  1779738079 socket:[1779738079] (stat: No such file or directory)
p0f  378784 cpanelconnecttrack  mem  REG  9,2  1921176  90964216 /lib64/libc-2.12.so
p0f  378784 cpanelconnecttrack  mem  REG  9,2  258504  20729763 /usr/lib64/libpcap.so.1.4.0
p0f  378784 cpanelconnecttrack  mem  REG  9,2  154528  90964208 /lib64/ld-2.12.so
p0f  378784 cpanelconnecttrack  0r  CHR  1,3  0t0  4038 /dev/null
p0f  378784 cpanelconnecttrack  1w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
p0f  378784 cpanelconnecttrack  2w  REG  9,2  667013  29622966 /var/run/restartsrv/startup/p0f
p0f  378784 cpanelconnecttrack  3u  pack  1779738079  0t0  ALL type=SOCK_DGRAM
p0f  378784 cpanelconnecttrack  4u  unix 0xffff88095d913c80  0t0 1779738088 /var/cpanel/userhomes/cpanelconnecttrack/p0f.socket

is this something that comes from cPanel or should I be worried ?

 

[24x7ss]

Hello,

That looks suspicious to me. Can you check the stat on that binary and run below command and past output:

rpm -qf /usr/local/cpanel/3rdparty/sbin/p0f

 

[Infopro]

https://forums.cpanel.net/threads/passive-os-fingerprinting.478431/#post-1931851