Skip to main content

Suspicious process running under user ****

Megadola
Could you please help: i'm Getting a lot of emails like this: -- Time: Wed Apr 15 08:31:45 2015 +0200 PID: 21586 (Parent PID:28155) Account: ***** Uptime: 24683 seconds Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl Command Line (often faked in exploits): spamd child - Snipped -

Comments

6 comments

Date Votes
  • keat63
    I'm guessing that SpamAssasin has done an update, and hasn't refreshed correctly due to running files. Restarting spamd has fixed this issue for me in the past. From a console try the following /scripts/restartsrv_spamd Then restart exim /etc/rc.d/init.d/exim restart
    0
  • Megadola
    i got this: /usr/local/cpanel/scripts/update_sa_rules: running in background 28031
    0
  • keat63
    That's what I get also. Keep an eye on your logs and see if the spamd errors have now subsided
    0
  • cPanelMichael
    Hello, This is a common occurrence. You will find several threads on this topic by searching for "spamd lfd" on our forums or by searching for "LFD spamd site:forums.cpanel.net" on Google. Please keep in mind that LFD is developed by ConfigServer, so their forums are often a better resource. Thank you.
    0
  • Ravidev
    I am getting mails like this Time: Thu May 14 02:47:05 2015 +0530 PID: 14548 (Parent PID:14547) Account: exlmart Uptime: 62 seconds Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php /home/exlmart/public_html/index.php Network connections by the process (if any): tcp: 72.55.164.248:44832 -> 103.21.59.28:80
    0
  • postcd
    Ravidev: i think your email subject is also Suspicious process found. And i think that this: "Uptime: 62 seconds" tells where to look. It probably means you set in configserver firewall configuration that CSF should report processes runing more than 60 seconds.. Look into CSF configuration and i think option you are looking to se to zero to disable this process watching is "PT_LIMIT". Not sure if its good idea to disable this process watching, maybe better to somehow discover why scripts on that account takes so long to complete. You may lookup that cpanel acocunt scripts if not in WHM " Server Status " Daily Process Log
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post