Suspicious symlink /var/cpanel/userhomes/cpanelhorde/cache/

sonicsam

• March 17, 2014 04:20

On one server I am getting there alerts from lfd Time: Mon Mar 17 08:51:41 2014 +0000 File: /tmp/magick-9835P9R4q1nt07zi Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU) Owner: cpanelhorde:cpanelhorde (32002:32002) Action: Symlink removed and the following which looks related Time: Mon Mar 17 08:50:06 2014 +0000 Account: cpanelhorde Resource: Virtual Memory Size Exceeded: 163 > 150 (MB) Executable: /usr/bin/gs Command Line: gs -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pbmraw -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -sOutputFile=/tmp/magick-9835g9FUUa1bKsP9%d -f/tmp/magick-9835ZnLCRVzhvJce -f/tmp/magick-9835P9R4q1nt07zi PID: 9838 (Parent PID:9835) Killed: No I am running 11.42.0.21 and I am assuming this is to do with the security issue [security] Fixed case 84385: Arbitrary code execution as cpanel-horde user via cache file poisioning. Can I assume then that my install in not vulnerable and ignore these alerts?

• 

  cPanelMichael

  • March 18, 2014 12:34

  [quote="sonicsam, post: 1597482">Time: Mon Mar 17 08:51:41 2014 +0000 File: /tmp/magick-9835P9R4q1nt07zi Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU) Owner: cpanelhorde:cpanelhorde (32002:32002) Action: Symlink removed
  A "/tmp/magick" file would typically indicate the use of Imagemagick. Is it installed on your system? Also, I may be misunderstanding the LFD output, but the alert seems to indicate the imagemagick tmp file was symbolically linked to the Horde cache file. Have you checked with support for LFD to verify that? Thank you.

  0
• 

  tuibm

  • April 08, 2014 05:46

  [quote="sonicsam, post: 1597482">On one server I am getting there alerts from lfd Time: Mon Mar 17 08:51:41 2014 +0000 File: /tmp/magick-9835P9R4q1nt07zi Reason: Suspicious symlink (->/var/cpanel/userhomes/cpanelhorde/cache/imgLU2CvU) Owner: cpanelhorde:cpanelhorde (32002:32002) Action: Symlink removed and the following which looks related Time: Mon Mar 17 08:50:06 2014 +0000 Account: cpanelhorde Resource: Virtual Memory Size Exceeded: 163 > 150 (MB) Executable: /usr/bin/gs Command Line: gs -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 -sDEVICE=pbmraw -dTextAlphaBits=4 -dGraphicsAlphaBits=4 -r72x72 -sOutputFile=/tmp/magick-9835g9FUUa1bKsP9%d -f/tmp/magick-9835ZnLCRVzhvJce -f/tmp/magick-9835P9R4q1nt07zi PID: 9838 (Parent PID:9835) Killed: No
  Hello, Im having the same issue, did you find the cause of this? THanks

  0
• 

  cPanelMichael

  • April 08, 2014 16:17

  The user did not update the thread, but I did send a response (it's the post above yours) that would apply if you notice the same issue. Let me know if that post helps. Thank you.

  0
• 

  markhubert

  • April 18, 2014 16:26

  We're getting this warning as well. cPanelMichael: I've not been able to find an LFD support... ConfigServ dude has nothing. That said, not really sure what the Login Failure Daemon (LFD) would have to do with suspicious file identification.... Any other suggestions? I'd really like to get this to stop as it's generating three emails every hour. Thanks

  0
• 

  cPanelMichael

  • April 18, 2014 16:41

  [quote="markhubert, post: 1624761">That said, not really sure what the Login Failure Daemon (LFD) would have to do with suspicious file identification....
  The alert in question stems from LFD, not cPanel. The CSF forums are located here: CSF/LFD - Support Forums Thank you.

  0
• 

  markhubert

  • April 18, 2014 16:52

  yeah. A search of this the CSF/LFD forum returns nothing. thanks

  0
• 

  pkiff

  • November 21, 2014 18:17

  Reviving this old thread because I ran into these warning alerts from CSF today, and I think I can add a bit more of an explanation. Like markhubert, I did a search on the CSF/LFD forum and found nothing, so there's no help coming from there, unless you have a paid support version of CSF. I believe this alert is simply the result of imagemagick using a lot of memory during a regular image processing job. In my case, the warning appeared when the server was being asked to process an 8MB file, and produce a JPEG, and the virtual memory pushed over 150MB to do it. The error was not associated with the horde user in my case but with a regular user account. Similar jobs on files that were 1-2MB did not exceed that memory limit. Now, when this memory burst happens, I think probably imagemagick starts to swap data from memory to disk and THAT probably creates temporary symlinks to temporary files when it does so. My theory is that this is what triggers the CSF/LFD warning. Or maybe it is because the symlinks get created when the files are moved from your temp folder into your file structure, and it is merely the size of the temp file being symlinked that arouses suspicion. I'm not sure. To stop these warnings, you can probably configure your CSF/LFD to ignore these files in the tmp directory, though I'm not sure that's a good idea. A better approach might be to change the policies on your imagemagick installation to place additional memory limits on the magick convert processes. I haven't yet tried either of these solutions, so this is just speculation. For more information about changing imagemagick policies on memory limits, see: Convert uses too much memory [url=http://studio.imagemagick.org/discourse-server/viewtopic.php?f=1&t=23772]Convert uses too much memory - ImageMagick Policy.xml details on the Customize ImageMagick With Resources page: [url=http://www.imagemagick.org/script/resources.php]ImageMagick: Resources

  0

Please sign in to leave a comment.