Suspicious process running under user
Hello,
I've started getting messages about a suspicious process running under user -
[QUOTE]Time: Fri Sep 19 09:27:09 2014 +0100
PID: 27257 (Parent PID:27248)
Account: colinwat
Uptime: 3701 seconds
Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line (often faked in exploits):
spamd child
At the same time, another message is generated referencing Excessive resource usage for the same account. [QUOTE]Time: Fri Sep 19 09:27:09 2014 +0100 PID: 27257 (Parent PID:27248) Account: colinwat Uptime: 3701 seconds Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 0.0.0.0:0 tcp: 127.0.0.1:783 -> 127.0.0.1:38025 udp: 138.128.161.22:4806 -> 8.8.8.8:53
A quick google search suggested that this is something to do with SpamAssassin ? I've been in touch with my host support, but they advise it is not anything to do with Spamassassin. They've responded with the following - [QUOTE]You can ignore these warnings. There is nothing to do with spamassassin.The process you need to kill and the user to be blocked are mentioned in the warning itself.
Not the most helpful of responses I've ever had. I assume the process is something called spamd ? I don't know where I would find that, or if the advice to switch it off is appropriate ? Also, I have no idea what they mean by the "user to be blocked" ? Who are they talking about? Hope someone can advise. :) Myles
At the same time, another message is generated referencing Excessive resource usage for the same account. [QUOTE]Time: Fri Sep 19 09:27:09 2014 +0100 PID: 27257 (Parent PID:27248) Account: colinwat Uptime: 3701 seconds Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): spamd child Network connections by the process (if any): tcp: 127.0.0.1:783 -> 0.0.0.0:0 tcp: 127.0.0.1:783 -> 127.0.0.1:38025 udp: 138.128.161.22:4806 -> 8.8.8.8:53
A quick google search suggested that this is something to do with SpamAssassin ? I've been in touch with my host support, but they advise it is not anything to do with Spamassassin. They've responded with the following - [QUOTE]You can ignore these warnings. There is nothing to do with spamassassin.The process you need to kill and the user to be blocked are mentioned in the warning itself.
Not the most helpful of responses I've ever had. I assume the process is something called spamd ? I don't know where I would find that, or if the advice to switch it off is appropriate ? Also, I have no idea what they mean by the "user to be blocked" ? Who are they talking about? Hope someone can advise. :) Myles
-
Hey, Is your account 'colinwat' receiving more emails ? spamd is the daemon which is needed for spamassassin to function. i guess spamd is being used more with respect to your account colinwat, which should mean your account is receinvg more emails and if the spam mails are being blocked\ by spamassassin, then you should be good to ignore these warnings. 0 -
Hello :) This is a common occurrence. You will find several threads on this topic by searching for "spamd lfd" on our forums or by searching for "LFD spamd site:forums.cpanel.net" on Google. Please keep in mind that LFD is developed by ConfigServer, so their forums are often a better resource. Thank you. 0 -
[quote="triantech, post: 1733432">Hey, Is your account 'colinwat' receiving more emails ? spamd is the daemon which is needed for spamassassin to function. i guess spamd is being used more with respect to your account colinwat, which should mean your account is receinvg more emails and if the spam mails are being blocked\ by spamassassin, then you should be good to ignore these warnings.
There are four mailboxes on that account. I've just had a quick look but there are only about 20 spam messages in total! Spamassassin is enabled but not sure why it would get excited about that volume. I've had lot's of messages come down for most of the other accounts now. But again, not really anymore spam than on any other day! It seems to have stopped now. So I'll see what happens next if anything! :) [COLOR="silver">- - - Updated - - - [quote="cPanelMichael, post: 1733501">Hello :) This is a common occurrence. You will find several threads on this topic by searching for "spamd lfd" on our forums or by searching for "LFD spamd site:forums.cpanel.net" on Google. Please keep in mind that LFD is developed by ConfigServer, so their forums are often a better resource. Thank you.
OK thanks Michael, I'l try those search terms. I've also now joined the ConfigServer forum! :)0
Please sign in to leave a comment.
Comments
3 comments