Skip to main content

Suspicious process running under user cpanelroundcube

Comments

7 comments

  • rpvw
    Hi @martin MHC I shall try to put your mind at rest :-D
    PHP FPM is turned on but is not used on any accounts.

    I believe that PHP-FPM is also used by cPanels own internal web server/PHP processes(which is a separate and distinct service to the Apache/PHP processes used by the clients), and as such, you don't have any control over it.
    How do I know cpanelroundcube has not been compromised? Based on the fact I never used to get these messages until recently.

    The message you are getting actually refers to the php-fpm process that roundcube is calling as a normal part of its PHP script execution. Your cPanel internal default PHP is 7.2 (I think since cPanel v76) and I believe it now uses php-fpm as the internal Handler instead of the php-cgi handler that the article you refer to states.
    Some clients who use roundcube webmail tell me it takes them literal minutes to load roundcube webmail for their emails. Is there any way to establish Why? and/or if it's related? I can not generate the same time delay on my own roundcube webmail testing, even on their own email account login's.

    Lots of things, of course, that can influence this - connection speed, traffic bottlenecks, speed of clients hardware/software etc etc The fact that you can't replicate it does indicate there is not anything terribly wrong. You might like to have a look at Tweak Settings > Max cPanel process memory (Minimum: 768) The maximum memory a cPanel process can use before it is killed off. This settings minimum value depends on the number of cPanel accounts on the system. If you don't have a memory constraint, you could try allocating a little more to this setting, and see if it improves your clients experience any. I really don't know why CSF/LFD insists in flagging all the PHP-FPM process as being a threat - although a malicious script could trigger an excessive use of the FPM resources. You can safely add the following regex to your /etc/csf/csf.pignore filepexe:/usr/local/cpanel/3rdparty/php/.*/sbin/php-fpm
    which will stop the false notifications, irrespective what internal PHP version cPanel installs. I hope this helps
    0
  • martin MHC
    Many thanks for your feedback, rpvw. It is appreciated. I should have clarified -- while I know there are a host of possible issues that cause a slow load of roundcube; working with the client we estabished it is not their ISP/ net connection, not their browser and not their cache. I will check out the memory setting as suggested. My query comes more from the _change_ in action -- that these warning notices didn't occur before and now are regular. I don't believe the system is compromised but I do think something has changed and was curious as to find out what, without simply ignoring the issue. Cheers
    0
  • rpvw
    The change may have been the action of upgrading WHM/cPanel to version 76 which installed the cPanel internal PHP version 7.2/PHP-FPM handler (I seem to remember cPanel used to use PHP5.6 and PHP-CGI in previous builds). The false trigger of the LFD mail will only happen if the internal FPM process uses more time/resources than LFD is configured to look for. If a user suddenly changes from say pop to IMAP and/or starts having a significantly higher number of mails files to read, the FPM process would be strained and the LFD trigger may fire. You might want to review what CSF/LFD settings you have that relate to the length of time a PHP script is permitted to run for before triggering a warning (PT_USERTIME), and/or what memory the process is permitted to use before warning (PT_USERMEM) - in fact; review all of the PT_ section carefully :) ***EDIT*** Have a look in your /etc/csf/csf.pignore file and look for an entry that looks anything like exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi
    If you find an entry that looks anything like that, it may have been ignoring the processes under the old PHP/CGI already, and now you have a new PHP/FPM it is obviously not being blocked.
    0
  • martin MHC
    Many thanks for your help here. I did indeed find that the CGI PHP was being exempt but not the newer FPM PHP .
    0
  • cPanelLauren
    Great advice @rpvw I also want to note a good clue as to whether or not a process is malicious or not is to look at what it's got open. If it's got a bunch of unusual processes open then yes, be suspicious. In this case though looking at what's open: Files open by the process (if any): /usr/local/cpanel/base/3rdparty/roundcube/plugins
    It appears to be legitimate, this is a normal roundcube process. I'd be alarmed if it had something unrelated to roundcube, in somewhere like tmp.
    0
  • martin MHC
    @cPanelLauren true, I was aware that in this specific instance this was probably not a malicious process; I was looking more at why this instance should be ignored
    0
  • cPanelLauren
    Hi @martin MHC Port 587 is not an insecure port, while it can be used for unencrypted connections it's used widely for STARTTLS. If anything I'd prefer 587 over 465 at this juncture though both are commonly used. Some really interesting information/discussion on port differences as well as relevancy can be found here:
    0

Please sign in to leave a comment.