Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : LDF notification

[jestin_virtual]

LFD Problem !


Hello ,

i`m receiving below email for 10 times per day

it`s amazing that the subject of email is one of my users but in the body of mail i can see another user also



i have change the users to User1 / User2 to understand better , and ip address to ...My server ip .....


Time: Wed Sep 2 22:44:51 2009 +0430
PID: 29219
Account: User1
Uptime: 5294 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:39286
udp: ...my server ip..:61458 -> ....someone else ip....:53


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
/home/User2/.spamassassin/bayes_toks


Memory maps by the process (if any):

00162000-00171000 r-xp 00000000 fd:00 38666263 /lib/libresolv-2.5.so
00171000-00172000 r-xp 0000e000 fd:00 38666263 /lib/libresolv-2.5.so
00172000-00173000 rwxp 0000f000 fd:00 38666263 /lib/libresolv-2.5.so
00173000-00175000 rwxp 00173000 00:00 0
001a6000-001a8000 r-xp 00000000 fd:00 38666287 /lib/libutil-2.5.so
001a8000-001a9000 r-xp 00001000 fd:00 38666287 /lib/libutil-2.5.so
001a9000-001aa000 rwxp 00002000 fd:00 38666287 /lib/libutil-2.5.so
001ad000-001c7000 r-xp 00000000 fd:00 38666292 /lib/ld-2.5.so
001c7000-001c8000 r-xp 00019000 fd:00 38666292 /lib/ld-2.5.so
001c8000-001c9000 rwxp 0001a000 fd:00 38666292 /lib/ld-2.5.so

[SPaReK]

You need to add:

Code:

cmd:spamd child

to the /etc/csf/csf.pignore file on your server and then restart lfd:

Code:

service lfd restart

For additional help regarding configserver firewall, see their website and support forums:

http://configservers.net

[jestin_virtual]

Quote:

Originally Posted by SPaReK

You need to add:

Code:

cmd:spamd child

to the /etc/csf/csf.pignore file on your server and then restart lfd:

Code:

service lfd restart

For additional help regarding configserver firewall, see their website and support forums:

http://configservers.net

i have received another email before the notification




Subject : lfd on server.mabdns.com: Excessive resource usage: dezir (29219)


Time: Thu Sep 3 00:04:03 2009 +0430
Account: User1
Resource: Process Time
Exceeded: 10046 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: spamd child
PID: 29219
Killed: No

[rootatmike]

Hey friend, nothing to be worried abt the mail. This is a just notification email from cpanel service about the high resource usage of the user's process spamd.


Thanks
Mike

[fabin]

Sometimes those mails can be annoying.. you can add a user or executable to /etc/csf/csf.pignore file.. and you won't get any notifications for it

f.e

Quote:

user:user1

[jestin_virtual]

Quote:

Originally Posted by SPaReK

You need to add:

Code:

cmd:spamd child

to the /etc/csf/csf.pignore file on your server and then restart lfd:

Code:

service lfd restart

For additional help regarding configserver firewall, see their website and support forums:

http://configservers.net

root@server [~]# spamd child
[22949] warn: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
[22949] warn: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
[22949] error: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
spamd: could not create INET socket on 127.0.0.1:783: Address already in use
root@server [~]#

[jestin_virtual]

Quote:

Originally Posted by fabin

Sometimes those mails can be annoying.. you can add a user or executable to /etc/csf/csf.pignore file.. and you won't get any notifications for it

f.e

Hello ,

1 - is it only a notification or firewall has blocked the process also ,

2 - as you told i can add the user in "csf.pignore" but what to do if i don`t want to receive any notification regarding the issue

please chek the below lines and let me know which line should i remove


exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/cpanel/cpsrvd
exe:/usr/local/cpanel/3rdparty/bin/imapd
exe:/usr/local/apache/bin/httpd
exe:/usr/local/cpanel/bin/cppop
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/local/cpanel/3rdparty/bin/php
exe:/usr/local/cpanel/3rdparty/bin/analog
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/local/cpanel/cpsrvd-ssl
exe:/usr/bin/spamc
exe:/usr/local/cpanel/bin/cppop-ssl
exe:/usr/local/cpanel/bin/logrunner
exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/bin/cpwrap
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
user:mailnull
user:mailman
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/nsd
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/var/cpanel/3rdparty/bin/php






Thank You

[fabin]

Quote:

1 - is it only a notification or firewall has blocked the process also ,

Its just a notification.

Quote:

2 - as you told i can add the user in "csf.pignore" but what to do if i don`t want to receive any notification regarding the issue

As others have already told, add the below line to csf.pignore

Code:

cmd:spamd child

And, don't forget to restart ldf

[jestin_virtual]

Quote:

Originally Posted by fabin

Its just a notification.



As others have already told, add the below line to csf.pignore

Code:

cmd:spamd child

And, don't forget to restart ldf

Hello ,
please check my "csf.pignore" file ( check the last line pls )
But , Still same problem

exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/cpanel/cpsrvd
exe:/usr/local/cpanel/3rdparty/bin/imapd
exe:/usr/local/apache/bin/httpd
exe:/usr/local/cpanel/bin/cppop
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/local/cpanel/3rdparty/bin/php
exe:/usr/local/cpanel/3rdparty/bin/analog
exe:/usr/local/urchin/bin/urchinwebd
exe:/usr/local/cpanel/cpsrvd-ssl
exe:/usr/bin/spamc
exe:/usr/local/cpanel/bin/cppop-ssl
exe:/usr/local/cpanel/bin/logrunner
exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/bin/cpwrap
exe:/usr/libexec/gam_server
exe:/usr/sbin/named
exe:/usr/sbin/exim
exe:/usr/sbin/mysqld
exe:/usr/sbin/mysqld_safe
exe:/usr/libexec/hald-addon-acpi
exe:/usr/sbin/hald
exe:/bin/dbus-daemon
exe:/usr/bin/dbus-daemon-1
user:mailnull
user:mailman
exe:/usr/libexec/hald-addon-keyboard
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/nsd
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/var/cpanel/3rdparty/bin/php
spamd child

[fabin]

Code:

exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/nsd
exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/var/cpanel/3rdparty/bin/php
cmd:spamd child

That way