rpcbind opened new server ports after cPanel update?

net@work

• May 23, 2017 07:45

I have 2 DNSonly vpses: Centos7.3 x86 cPanel 64.0.21 (both vpses) Yesterday these vpses had done an update at these packages: Package libtirpc.x86_64 0:0.2.4-0.8.el7_3 will be an update Package rpcbind.x86_64 0:0.2.0-38.el7 will be updated Package rpcbind.x86_64 0:0.2.0-38.el7_3 will be an update After this update I have strange messages like: ------------------------------------------------- Executable: /usr/sbin/rpcbind Command Line (often faked in exploits): /sbin/rpcbind -w Network connections by the process (if any): tcp6: 0.0.0.0:111 -> 0.0.0.0:0 tcp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:907 -> 0.0.0.0:0 udp6: 0.0.0.0:111 -> 0.0.0.0:0 udp6: 0.0.0.0:907 -> 0.0.0.0:0 -------------------------------------- Executable: /usr/sbin/rpcbind Command Line (often faked in exploits): /sbin/rpcbind -w Network connections by the process (if any): tcp6: 0.0.0.0:111 -> 0.0.0.0:0 tcp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:834 -> 0.0.0.0:0 udp6: 0.0.0.0:111 -> 0.0.0.0:0 udp6: 0.0.0.0:834 -> 0.0.0.0:0 ------------------------------------------------ I noticed that now the server has these ports open: 111, 834 in one vps 111, 907 in the second vps! I see this documentation about

• 

  Zuriel

  • May 23, 2017 18:28

  same thing for me. Time: Tue May 23 13:56:35 2017 -0400 PID: 15166 (Parent PID:15166) Account: rpc Uptime: 21725 seconds Executable: /usr/sbin/rpcbind Command Line (often faked in exploits): /sbin/rpcbind -w Network connections by the process (if any): tcp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:111 -> 0.0.0.0:0 udp: 0.0.0.0:925 -> 0.0.0.0:0 udp6: 0.0.0.0:111 -> 0.0.0.0:0 udp6: 0.0.0.0:925 -> 0.0.0.0:0 tcp6: 0.0.0.0:111 -> 0.0.0.0:0 Files open by the process (if any): /dev/null /dev/null /dev/null /run/rpcbind.lock Memory maps by the process (if any): started last night

  0
• 

  BillyS

  • May 23, 2017 20:38

  I came here looking to see if anyone else is getting these.. Yeah, Centos / RH just updated those two packages and now I'm getting these CSF message every hour.

  0
• 

  cPanelMichael

  • May 24, 2017 15:52

  Hello, The rpcbind package is installed through YUM as part of CentOS 7, and I do see on a test system that it was recently updated:
  # grep rpcbind /var/log/yum.log May 23 05:41:05 Updated: rpcbind-0.2.0-38.el7_3.x86_64
  There's a recent discussion on this topic at: SOLVED - rpcbind got installed. Thank you.

  0
• 

  net@work

  • May 25, 2017 10:37

  Hello, The rpcbind package is installed through YUM as part of CentOS 7, and I do see on a test system that it was recently updated:
  # grep rpcbind /var/log/yum.log May 23 05:41:05 Updated: rpcbind-0.2.0-38.el7_3.x86_64
  There's a recent discussion on this topic at: SOLVED - rpcbind got installed. Thank you.

  
  Hello @cPanelMichael ! So we can disable without having any problem to our dnsonly cPanel servers? We just do this:
  systemctl disable rpcbind
  It's better disable this or remove it? I notice that rpcbind requires quota that cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64 requires.
  rpm -q --whatrequires rpcbind quota-4.01-14.el7.x86_64 rpm -q --whatrequires quota quota-devel-4.01-14.el7.x86_64 cpanel-perl-524-Quota-1.7.2-1.cp1162.x86_64
  If I disable it I will have malfanction? I don't want to break the system but I don't want to have ports open that I don't need for security purposes! I have dnsonly vpses with those ports:
  netstat -tulpen tcp 0 0 0.0.0.0:2095 0.0.0.0:* LISTEN 0 11850859 21337/cpsrvd (SSL) tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 11645463 1/systemd tcp 0 0 0.0.0.0:2096 0.0.0.0:* LISTEN 0 11850862 21337/cpsrvd (SSL) tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 0 11442227 12466/exim tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 6101461 17991/named tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 0 11442223 12466/exim tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 6101466 17991/named tcp 0 0 0.0.0.0:2082 0.0.0.0:* LISTEN 0 11850857 21337/cpsrvd (SSL) tcp 0 0 127.0.0.1:579 0.0.0.0:* LISTEN 0 11850300 21381/cPhulkd - pro tcp 0 0 0.0.0.0:2083 0.0.0.0:* LISTEN 0 11850860 21337/cpsrvd (SSL) tcp 0 0 0.0.0.0:2086 0.0.0.0:* LISTEN 0 11850858 21337/cpsrvd (SSL) tcp 0 0 0.0.0.0:2087 0.0.0.0:* LISTEN 0 11850861 21337/cpsrvd (SSL) tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 0 11442225 12466/exim tcp6 0 0 :::111 :::* LISTEN 0 11645462 1/systemd tcp6 0 0 :::465 :::* LISTEN 0 11442226 12466/exim tcp6 0 0 :::25 :::* LISTEN 0 11442222 12466/exim tcp6 0 0 :::3306 :::* LISTEN 993 16400 891/mysqld tcp6 0 0 :::587 :::* LISTEN 0 11442224 12466/exim udp 0 0 127.0.0.1:323 0.0.0.0:* 996 15373 627/chronyd udp 0 0 0.0.0.0:907 0.0.0.0:* 0 11646081 30836/rpcbind udp 0 0 127.0.0.1:53 0.0.0.0:* 25 6101460 17991/named udp 0 0 0.0.0.0:111 0.0.0.0:* 0 11646080 30836/rpcbind udp6 0 0 ::1:323 :::* 996 15374 627/chronyd udp6 0 0 :::907 :::* 0 11646083 30836/rpcbind udp6 0 0 :::111 :::* 0 11646082 30836/rpcbind
  Thank you!

  0
• 

  cPanelMichael

  • June 01, 2017 17:58

  Hello, You can disable the service with the following commands on CentOS 7:
  systemctl disable rpcbind.service service rpcbind stop
  I don't recommend removing the RPM itself, as it has several dependencies with packages such as quota and dovecot. Thank you.

  0

Please sign in to leave a comment.