Receiving excessive Emails for "Suspicious Process Running under user mongod" and "Excessive Resource Usage" – Need Help!
AnsweredDear all,
I recently purchased JetBackup through cPanel.com, and I’ve been facing an issue where I receive over 60 emails per day reporting a "Suspicious process running under user mongod" as well as "Excessive resource usage: mongod". Here is a snippet from one of the emails:
Time: Fri Oct 11 16:00:42 2024 +0200
PID: 2072 (Parent PID:2072)
Account: mongod
Uptime: 78065 seconds
Executable:
/usr/local/jetapps/usr/bin/mongod
Command Line (often faked in exploits):
/usr/local/jetapps/usr/bin/mongod --quiet -f /usr/local/jetapps/etc/mongod.conf run
Network connections by the process (if any):
tcp: 127.0.0.1:27217 -> 127.0.0.1:44274
tcp: 127.0.0.1:27217 -> 127.0.0.1:41278
tcp: 127.0.0.1:27217 -> 127.0.0.1:44394
...
Excessive resource usage: mongod
Time: Fri Oct 11 16:00:42 2024 +0200
Account: mongod
Resource: Process Time
Exceeded: 78065 > 1800 (seconds)
Executable: /usr/local/jetapps/usr/bin/mongod
Command Line: /usr/local/jetapps/usr/bin/mongod --quiet -f /usr/local/jetapps/etc/mongod.conf run
PID: 2072 (Parent PID:2072)
Killed: No
It seems like the mongod process from JetBackup is triggering these alerts for excessive process time and suspicious behavior. The emails indicate that the process is not being killed, but the alerts are persistent, and it's consuming significant resources.
I would appreciate guidance on how to resolve this issue. Is this a normal behavior for the mongod process used by JetBackup? Should I adjust any configurations or whitelist this process in my security settings? Or is there an underlying issue that needs to be addressed with resource usage?
Any help or insight would be greatly appreciated!
Thanks in advance for your assistance.
Best regards,
Steve
-
Hey there! This is normal behavior from the process, yes, so you'll likely want to whitelist that in CSF:
Details on that can be found here, as this isn't a cPanel product: https://www.knownhost.com/kb/common-csf-lfd-false-positives-and-how-to-stop-the-notifications/
1 -
Thank you so much cPRex.
0 -
Sure thing!
0
Please sign in to leave a comment.
Comments
3 comments