Excessive resource usage and Suspicious process

adeyjones

• May 07, 2021 17:36

Hi all I get 2 emails on a nightly basis which are the following: Time: Fri May 7 10:13:24 2021 +0000 Account: xxx Resource: Process Time Exceeded: 32362 > 1800 (seconds) Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl Command Line: spamd child PID: 31780 (Parent PID:30465) Killed: No and Time: Fri May 7 20:44:41 2021 +0000 PID: 18318 (Parent PID:30465) Account: xxx Uptime: 11407 seconds Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 127.0.0.1:47914 Files open by the process (if any): /dev/null /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/3rdparty/perl/532/bin/spamd /home/surgeryweb/.razor/razor-agent.log /var/cpanel/locale/en.cdb /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm I have looked at various past threads on here and added the following to my csf.pignore file: pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl pcmd:spamd child
But none of these 3 lines have stopped the emails coming, how can I stop them? Thanks.

• 

  quietFinn

  • May 08, 2021 04:17

  pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl pcmd:spamd child
  

  
  Maybe it should be: cmd:spamd child
  EDIT: Never mind pcmd:spamd child
  and cmd:spamd child
  are the same.

  0
• 

  adeyjones

  • May 08, 2021 09:52

  Maybe it should be: cmd:spamd child
  EDIT: Never mind pcmd:spamd child
  and cmd:spamd child
  are the same.

  
  Thanks for the reply, it may not be the same after all as i've just found this other (fairly recent) thread () that advises to use cmd:spamd child
  so i'll see if I get any more emails in the next 12-24 hours.

  0
• 

  adeyjones

  • May 10, 2021 11:16

  Nope unfortunately I am still getting these: Time: Mon May 10 11:14:26 2021 +0000 Account: xxx Resource: Process Time Exceeded: 36254 > 1800 (seconds) Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl Command Line: spamd child PID: 13403 (Parent PID:12587) Killed: No Time: Mon May 10 11:14:26 2021 +0000 PID: 13403 (Parent PID:12587) Account: xxx Uptime: 36254 seconds Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 127.0.0.1:39614 Files open by the process (if any): /dev/null /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/logs/spamd_error_log /usr/local/cpanel/3rdparty/perl/532/bin/spamd /var/cpanel/locale/en.cdb /usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

  0
• 

  cPRex Jurassic Moderator

  • May 10, 2021 13:38

  Hey there! These emails are generated by CSF and isn't something that is controlled by cPanel. Since you have already tried adding values to the ignore list, it might be worth contacting the CSF team directly (ConfigServer Technical Support) to see if there is an issue there, or if they would recommend a different configuration.

  0

Please sign in to leave a comment.