cpaneleximscanner
Hi,
I have a client account that was experiencing problems on a server. I took this account and transferred it to a VPS to analyze the behavior of the account. After that I started receiving alerts ... (see below)
----------------------------------
Email subject:
lfd on "my.domainxxxxxserver": Suspicious process running under user cpaneleximscanner
Message email:
==========
Time: Thu Jan 26 13:26:49 2017 -0200
Account: cpaneleximscanner
Resource: Virtual Memory Size
Exceeded: 231 > 200 (MB)
Executable: /usr/local/cpanel/3rdparty/perl/522/bin/perl
Command Line: spamd child
PID: 31303 (Parent PID:14540)
Killed: No
What could be happening?
-
Hello, It's likely that's a false positive from your CSF/LFD application. "cpaneleximscanner" is a normal user on the system as part of SpamAssassin. Thank you. 0 -
Hi Michael, but how can I be sure it's a "false positive"? Because this account was giving trouble on the other server and it's giving in this too. Thank you. 0 -
Hello, You may want to review /var/log/exim_mainlog to see if the account is sending out SPAM and thus increasing the SpamAssassin CPU usage as it scans outgoing email for SPAM. Thank you. 0 -
Hi, Michael. Looks like they're trying to send spam. How to fix this problem? This happened after installing this account. Did it infect the entire server? See the / var / log / exim_mainlog below ... ================ Displaying the last 30 lines of /var/log/exim_mainlog... [Removed - Please ensure real domain names and IP addresses are excluded from the log output] ...Done. 0 -
Hello, The following document should help you get started: How to Prevent Email Abuse - cPanel Knowledge Base - cPanel Documentation Additionally, you can review the threads under the following URL to see examples of how other users address outgoing SPAM: outgoingspam | cPanel Forums Thank you. 0 -
Michael, thanks for the help and the totorial Thanks :D 0 -
Hi, If any account is involved in spamming activity, you can find the details in the exim_mainlog file where you can search relevant entries like public_html to display the activity, if any, from the accounts. This will also point you the directory from where this activity is being performed, so you can look into the directory and check what is actually triggering this. 0
Please sign in to leave a comment.
Comments
7 comments