Suspicious File alert.

Icaro Nadson

• January 14, 2025 21:51
• Edited

Hello,

I get a lot of firewall alerts, can anyone advise me what I should do? Should I be worried?

Email Subject 1: lfd on cloud.domain.com: Suspicious process running under user hc

PID: 940496 (Parent PID: 770935)
Account: hc
Uptime: 79 seconds

Executable:

/usr/local/cpanel/3rdparty/php/83/sbin/php-fpm

Command line (often spoofed in exploits):

php-fpm: pool user_hc

Network connections by the process (if any):

tcp6: 0:0:0:0:0:0:0:1:33648 -> 0:0:0:0:0:0:0:1:587

Files opened by the process (if any):

any):

any):

/dev/null
/usr/local/cpanel/base/3rdparty/roundcube/index.php
/usr/local/cpanel/base/3rdparty/roundcube/plugins
/home/hc/etc/domain.com/invoicing.rcube.db
/home/hc/etc/domain.com//invoicing.rcube.db-wal
/home/hc/etc/domain.com//billing.rcube.db-shm

_________________________________________________

Email subject 2: lfd at cloud.domain.com: Resource overuse: hc (886969 (Parent PID: 794397))

Time: Tue Jan 14 12:36:10 2025 -0500
Account: hc
Resource: Processing time
Exceeded: 20218 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/536/bin/perl
Command line: spamd child
PID: 886969 (Parent PID:794397)
Killed: No

________________________________________________

Mail subject 3: lfd on cloud.domain.com: Suspicious process running under user hc

Time: Tue Jan 14 12:36:10 2025 -0500
PID: 886969 (Parent PID:794397)
Account: hc
Uptime: 20218 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/536/bin/perl

Command line (often spoofed in exploits):

spamd child

connections Network access by process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:48346
udp: 187.*.*.22:64357 -> 187.*.*.3:53

Files opened ... there is):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/536/bin/spamd
/usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/DNS/Resolver/Base.pm
/tmp/.spamassassin886969njGyU1tmp

______________________________________________________

What can I do about this? Do the three emails have anything in common?

• 

  quietFinn

  • January 14, 2025 23:05
  • Edited

  Add these to /etc/csf/csf.pignore
  pexe:/usr/local/cpanel/3rdparty/php/.*/sbin/php-fpm
  cmd:spamd child

  and restart csf/lfd

  csf -ra

   

  0
• 

  Icaro Nadson

  • January 15, 2025 02:40

  Thanks for the reply.

  Does this bypass the warnings or solve the problem? Is this something I should be concerned about? since it alerted me to a possible exploid.

  0
• 

  quietFinn

  • January 15, 2025 09:11

  Those lines bypass the warnings, and those are safe to add because they are all normal processes.

   

  0
• 

  Icaro Nadson

  • January 15, 2025 14:50

  Is this how it should look? See image below.

  

  0
• 

  quietFinn

  • January 15, 2025 14:59

  Looks right.

   

  0
• 

  Icaro Nadson

  • January 15, 2025 22:54

  I receive many like this, is this normal? How do I resolve
  this?

  Suspicious File Alert
  Time: Wed Jan 15 17:37:26 2025 -0500 File: /tmp/.spamassassin21983W7JTs7tm p/.spamassassin Reason: Suspicious directory Owner: nobody:nobody (65534:65534) Action: No action taken

  0
• 

  cPRex Jurassic Moderator

  • January 16, 2025 15:21

  Icaro Nadson - the "nobody" ownership just indicates that file is owned by Apache, which seems normal to me.

  It's important to note that CSF/LFD is not a tool created or distributed by cPanel.

  0
• 

  Icaro Nadson

  • January 16, 2025 19:17

  Thank you very much for everyone's support, you are helping me a lot.

  0
• 

  cPRex Jurassic Moderator

  • January 16, 2025 19:56

  You're very welcome!

  0

Please sign in to leave a comment.