lfd reporting excessive resource usage / suspicious process "spamd child"

dcusimano

• May 16, 2018 12:23

It appears that after my server was updated from v68 to v70.0.41, lfd (ConfigServer Security & Firewall - csf v12.03) is repeatedly reporting spamd as suspicious and excessive processs because it's running too long. I see a pair of notification emails every now and then: lfd on SERVERNAME: Excessive resource usage: USERNAME (15690 (Parent PID:14162)) lfd on SERVERNAME: Suspicious process running under user USERNAME Excerpt from the "Excessive resource usage" email: Time: Wed May 16 07:01:43 2018 -0700 Account: USERNAME Resource: Process Time Exceeded: 22283 > 1800 (seconds) Executable: /usr/local/cpanel/3rdparty/perl/526/bin/perl Command Line: spamd child PID: 15690 (Parent PID:14162) Killed: No The process uptime is large in this example (6 hours). I don't know the regular behaviour of spamd, if it usually runs for so long or not. Is this an issue with spamd or lfd? How do I fix it? Thanks.

• 

  rpvw

  • May 16, 2018 17:42

  Try adding the following process regex matches to the/etc/csf/csf.pignore file: ????pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
  If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
  

  0
• 

  cPanelLauren

  • May 16, 2018 19:15

  @dcusimano the advice provided by @rpvw is exactly what should be done. Please let us know if you have any other questions in regard to this. Thanks!

  0
• 

  Sanjay Narayan

  • October 10, 2018 08:05

  Hi @cPanelLauren By adding the line in above file, CSF will ignore spamd process. But RPC also keep running for longer time and sometimes spamd in my case. What could be the reason for excessive resource usage by RPC and spamd?

  0
• 

  cPanelLauren

  • October 10, 2018 13:47

  Hi @Sanjay Narayan I believe the confusion is with the alert itself, this isn't an excessive resource usage alert it's a process time alert indicating that the process has run longer than the threshold LFD has set, for these processes it is normal for them to be running like this.

  0
• 

  Gino Viroli

  • January 15, 2019 12:31

  Try adding the following process regex matches to the/etc/csf/csf.pignore file: pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
  If that doesn't stop the Excessive usage reports for spamd and/or spamd child, you may need to exclude all of perl with the code pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
  

  
  FYI: we added only: exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd
  to /etc/csf/csf.pignore file It seems to work fine.

  0
• 

  rpvw

  • January 15, 2019 13:13

  FYI: we added only: exe:/usr/local/cpanel/3rdparty/perl/524/bin/spamd
  to /etc/csf/csf.pignore file It seems to work fine.

  
  That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process ! For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.

  0
• 

  Gino Viroli

  • January 15, 2019 15:31

  That will work fine until the pearl version changes - which is why I gave you a regex to cover all the perl versions for that process ! For instance, my server uses perl 526 so the path is /usr/local/cpanel/3rdparty/perl/526/bin/spamd which would NOT match your rule.

  
  Sorry, didn't mean to pick on your answer. :( I'm still learning. :-p Thanks ;) P.S. for improved secuirity maybe this one could be even better: pexe:^/usr/local/cpanel/3rdparty/perl/.*/bin/spamd$
  

  0
• 

  mlweber

  • February 28, 2020 15:35

  I am having the same problem with numerous spamd child Suspicious process and Excessive resource usage LFD notifications. I have tried adding the coding below to the csf.pignore file, but am still getting the notifications. pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd I also tried it with the actual Perl version (530) instead of .*, which did not stop the notifications either, and the line below already existed in the csf.pignore file, but was not blocking the notifications: exe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl I have also tried using both pexe/: and exe:/ I am getting these notifications for various domains on the server several times per hour and would appreciate any help in putting an end to them.

  0
• 

  cPanelLauren

  • February 28, 2020 16:18

  What is the specific notification you're receiving for this @mlweber? The lines included in the mail notification are really helpful.

  0
• 

  mlweber

  • February 28, 2020 17:46

  Thank you for the quick reply! I'm getting 2 emails every time. I'm pasting in the content from the 2 that I just received: Excessive resource usage email notification: Time: Fri Feb 28 12:31:43 2020 -0600 Account: vector Resource: Process Time Exceeded: 19731 > 1800 (seconds) Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl Command Line: spamd child PID: 7916 (Parent PID:6712) Killed: No Suspicious process email notification: Time: Fri Feb 28 12:31:43 2020 -0600 PID: 7916 (Parent PID:6712) Account: vector Uptime: 19731 seconds Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 127.0.0.1:49706 Files open by the process (if any): /dev/null /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/3rdparty/perl/530/bin/spamd /var/cpanel/locale/en.cdb /usr/local/cpanel/3rdparty/perl/530/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm Memory maps by the process (if any): Then there is a process list shown below that I didn't think was needed or relevant, but will happily provide if you want it.

  0
• 

  cPanelLauren

  • February 28, 2020 21:58

  What you need to exclude if you're going to exclude by EXE is the actual executable which is /usr/local/cpanel/3rdparty/perl/530/bin/perl in both cases. They give you three options of items to ignore: # exe:/full/path/to/file # user:username # cmd:command line
  Then they give you the same three lines in the notifications: Account: vector ###This is the user Executable: /usr/local/cpanel/3rdparty/perl/530/bin/perl ###The Executable Command Line (often faked in exploits): spamd child ###The Command Line
  You're attempting to block: pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
  Which would just block /usr/local/cpanel/3rdparty/perl/.*/bin/spamd
  specifically, not /usr/local/cpanel/3rdparty/perl/530/bin/perl
  If you're concern is to match spamd you should ignore it this way: pcmd:spamd child
  I wrote a resource not that long ago on how to do this: If you want to ignore perl in general which I would hesitate to do you can use: For the perl regular experession: pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
  For the basic line: exe:/usr/local/cpanel/3rdparty/perl/530/bin/perl
  

  0
• 

  mlweber

  • February 28, 2020 22:23

  I followed the advice given by @rpvw on May 16, 2018 and which you cited as being exactly what should have been done, which did not work for me. I have now also added the pcmd:spamd child to the csf.pignore file and will see if that works and if so will post again to indicate that it did. I did have pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl in the csf.pignore file and that did not stop the notifications, nor did pexe:/usr/local/cpanel/3rdparty/perl/530/bin/perl What's a little odd is that I was not receiving these notification before cPanel updated to version 86.0.4 earlier this morning, and now I'm getting numerous notifications every hour.

  0
• 

  mlweber

  • February 29, 2020 01:14

  Okay, so that did not work either. I have tried everything I could find to stop these notifications and nothing has worked. I am attaching a screenshot of what I have in the csf.pignore file as well as my Outlook inbox showing that these notifications are still coming in.

  0
• 

  cPanelLauren

  • March 02, 2020 16:34

  Based on the screenshot you're receiving several different types of notifications. Are they all for the same exe and cmd entries? The p should only be placed in front of the exe or cmd entry in the event you're using the perl regex format. As you're not you can remove that. The formatting instructions are clearly listed in the pignore file: # You must use the following format: # # exe:/full/path/to/file # user:username # cmd:command line # # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex

  # puser:username as a perl regex

  # pcmd:command line as a perl regex

  # #

  You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*

  
  Are you restarting CSF after adding the additions? If you re-add your ignores and restart CSF after you've added them and you're confident the notifications are all for the same processes, I'd advise you to contact CSF for further assistance.

  0
• 

  mlweber

  • March 02, 2020 18:11

  Thank you for the response. I had been restarting CSF after making and/or changing the ignores, but forgot to do so after adding pcmd:spamd child. I restarted CSF and Apache and have not received any further notifications since. Thank you for your help!

  0

Please sign in to leave a comment.