Coredump attack

Daniel Santos

• June 03, 2026 20:55
• Edited

I'm getting a ton of coredumps on cphttpd.
These are clearly from IPs that are doing requests to the server just for this, as I can't found them anywhere else on the logs.
Looked in:
- exim_mainlog
- maillog
- /etc/apache/logs
- /etc/apache/domlogs
- messages
- doesn't have nginx so, didn't go to  /var/log/nginx

Doing coredumpctl info I got them, fortunatelly.

I'm on Cpanel/whm 134 and I just did updates on both cpanel and OS (including kernel) and I'm still getting these coredumps attacks.

Example:

           PID: 82221 (cphttpd - servi)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 11 (SEGV)
     Timestamp: Tue 2026-04-14 22:01:20 WEST (23s ago)
  Command Line: cphttpd - serving 17.22.253.158
    Executable: /usr/local/cpanel/cpsrvd
 Control Group: /system.slice/cpanel.service
          Unit: cpanel.service
         Slice: system.slice
       Boot ID: f95051070bf34f3db0ccb403953d416c
    Machine ID: f53dc7eb0d6b4db899b9f902dde179d6
      Hostname: leo.xxxxxxxxxxx.net
       Storage: none
       Message: Process 82221 (cphttpd - servi) of user 0 dumped core.

the one liner has helped me a lot so, if you're also in trouble, use this (with CSF, sorry)

coredumpctl -r --no-pager  info |grep serving | awk '{ print $6 }' | sort | uniq  | sort -n | echo "$(awk -F. '{print $1"."$2"."$3".0/24"}')" |sort |uniq | xargs -I{} csf -d {}

I'm blocking /24 as I've seen a pattern of IPs from same network

• 

  cPRex Jurassic Moderator

  • April 15, 2026 16:30

  Thanks for sharing this!

  1
• 

  Daniel Santos

  • June 03, 2026 20:56

  To this day I'm still getting these coredumps attacks. 
  No one else is reporting this?

  0
• 

  cPRex Jurassic Moderator

  • June 03, 2026 21:35

  No, I don't have any similar reports of this behavior.  You can always create a ticket to have us or your host examine the system if you'd like.

  0

Please sign in to leave a comment.