cPanel process trying to contact digital ocean server every hour?

tss

• April 19, 2020 17:01

I'm logging failures in messages.log: Apr 19 03:40:01 * kernel: [8037514.324554] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64659 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 03:40:02 * kernel: [8037515.324066] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64660 DF PROTO=TCP SPT=40114 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 03:40:06 * kernel: [8037519.351180] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35930 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 03:40:07 * kernel: [8037520.351071] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35931 DF PROTO=TCP SPT=40152 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 15:40:02 * kernel: [8080715.174015] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16265 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 15:40:03 * kernel: [8080716.176061] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=16266 DF PROTO=TCP SPT=47624 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 15:40:07 * kernel: [8080720.395095] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64397 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 Apr 19 15:40:08 * kernel: [8080721.395103] Firewall: *TCP_OUT Blocked* IN= OUT=eth5 SRC=**.**.**.** DST=67.207.68.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64398 DF PROTO=TCP SPT=47660 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=502 GID=513 UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell Looks like a cron job calling that IP, but it's not listed in .HttpRequest: NetRange: 67.207.64.0 - 67.207.95.255 CIDR: 67.207.64.0/19 NetName: DIGITALOCEAN-67-207-64-0 I have that netrange blocked because of repeated intrusion attempts from many, many different IPs on that range of Digital Ocean. Anyone have any idea what this might be? Legitimate or not?

• 

  cPanelLauren

  • April 21, 2020 20:51

  Hello, I"m unsure why your server would be attempting to reach that IP address. It's not something associated with cPanel but it is clearly attempting to connect over port 443 "DPT=443
  " What's the GID 513 associated with? cPanel's UID and GID are usually the same. Any groups the cpanel user belongs to you should be able to get with: id cpanel
  

  0
• 

  tss

  • April 22, 2020 00:57

  Lauren: Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course). It took hours of digging to find it was an RSS aggregator from a web site being updated hourly - or not being updated in this case. The crazy part was that while watching htop at the appointed time, that /var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell process showed up. I guess the php process handling the RSS feed wouldn't show up as anything other than an httpd or mysqld process, where the user that calls the process is hidden in that htop display. I can't see the entire command anyway; if it was there it was off the screen.

  0
• 

  LucasRolff

  • April 22, 2020 10:00

  Thanks for letting me know it wasn't cPanel. Love the fact that UID's aren't unique. Tums out that another user has the same UID - 502 (but a different GID, of course).

  
  No, you're simply reading it wrong, there's no users in the system that has same UID. Look at your output again: [QUOTE="tss, member: 284011"> UID 502 = cpanel:x:32001:502::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell
  cpanel user has UID 32001 and GID 502. Let's break down your line: cpanel # username x # indicates password is stored in /etc/shadow 32001 # UID 502 # GID EMPTY # user ID Info /var/cpanel/userhomes/cpanel # Homedir /usr/local/cpanel/bin/noshell # command/shell
  

  0
• 

  cPanelLauren

  • April 22, 2020 14:25

  If you know the exact time this occurs what about the cron log? If you haven't checked that yet you might find it at /var/log/cron.log
  

  0
• 

  tss

  • April 23, 2020 01:09

  Thanks. As I've already mentioned above, I did figure out what was going on. Yes, originally I did confuse cPanel's GID (502) with the another user's UID (502). Part of that issue was not being able to see the complete command happening in htop. However, I also discovered that there's no guarantee that multiple users can't have the same UID - in fact they can and in certain situations do. Lots of discussion of that on serverfault. I did check cron, but the connection attempt wasn't made directly by a cron job but rather by a php function in a CMS. In any case, the issue is solved. Thanks again for your help.

  0
• 

  cPanelLauren

  • April 23, 2020 16:59

  Ahh, that makes sense, I am sorry I missed the part where you'd indicated you'd found the solution. I'm glad to hear it and I'm glad the issue is resolved for you.

  0

Please sign in to leave a comment.