Bug? Perl mails about spamd in Centos 8

Black Tiger · Post by **Black Tiger** » 17 Nov 2020, 18:34

I don't know if this is a CSF bug or something else so I post it here.

In Centos 7, it was enough to put these lines in the csf.pignore file:

Code: Select all

exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

no problems with perl mails about spamd and spamd child anymore.

Since Centos 8 this is change, no clue as to why.
On is about a suspicious process, the other one about excessive resource usage.

This is the one about suspicious process:

Code: Select all

Time:    Tue Nov 17 17:43:13 2020 +0100
PID:     1220390 (Parent PID:1220388)
Account: accountname
Uptime:  52384 seconds

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

spamd child                                                                                                                                                                                                                       

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:47734
udp: 127.0.0.1:63011 -> 127.0.0.1:53

This is about the excessive resource usage:

Code: Select all

Time:         Tue Nov 17 17:43:13 2020 +0100
Account:      accountname
Resource:     Process Time
Exceeded:     52384 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child                                                                                                                                                                                                                       
PID:          1220390 (Parent PID:1220388)
Killed:       No

So both are about spamd child.

We can stop this by adding the perl executable to csf.pignore but it's better to keep monitoring perl.
This issue is only occuring on Centos 8 servers, not on Centos 7 servers.
Configuration of csf.conf and csf.pignore is exactly the same on all servers.
I'm not the only one experiencing this.

System.
OS Centos 8.2.2004
Directadmin

svendsen · Post by **svendsen** » 12 Feb 2021, 16:31

Hi!
Did you find a solution to this?
we also found this issue on a Centos7 server. The only server with this issue and we share same CSF configuration

Black Tiger · Post by **Black Tiger** » 12 Feb 2021, 16:56

Hello.
No. I finally got fed up with this and added perl to the exclusions in the csf.pignore file.

adeyjones · Post by **adeyjones** » 10 May 2021, 15:29

Black Tiger wrote: ↑12 Feb 2021, 16:56 Hello.
No. I finally got fed up with this and added perl to the exclusions in the csf.pignore file.

Hi, just wondering what you added to make this happen?

I get several of these emails a day and have so far added the following in to csf.pignore but nothing is stopping them from coming:

Code: Select all

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child

Black Tiger · Post by **Black Tiger** » 10 May 2021, 16:54

As said I got fed up with it and excluded perl by adding this line:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/524/bin/perl

However in the mean time we don't have version 524 anymore so I disabled that again.

At this moment I'm only using this in csf.pignore:

Code: Select all

exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

adeyjones · Post by **adeyjones** » 10 May 2021, 21:15

Black Tiger wrote: ↑10 May 2021, 16:54 As said I got fed up with it and excluded perl by adding this line:
Code: Select all
exe:/usr/local/cpanel/3rdparty/perl/524/bin/perl
However in the mean time we don't have version 524 anymore so I disabled that again.

At this moment I'm only using this in csf.pignore:
Code: Select all
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

Thanks for getting back to me, i'll try that out and see if I get any more in the next 24 hours.

Black Tiger · Post by **Black Tiger** » 10 May 2021, 21:57

Oke. I hope this will fix it for you. If not, I don't know.

adeyjones · Post by **adeyjones** » 12 May 2021, 14:51

Black Tiger wrote: ↑10 May 2021, 21:57 Oke. I hope this will fix it for you. If not, I don't know.

Unfortunately not, look what's just arrived:

Time: Wed May 12 13:49:27 2021 +0000
Account: 'hidden'
Resource: Process Time
Exceeded: 45559 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 31262 (Parent PID:30456)
Killed: No

Time: Wed May 12 13:49:27 2021 +0000
PID: 31262 (Parent PID:30456)
Account: 'hidden'
Uptime: 45559 seconds

Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl

Command Line (often faked in exploits):

spamd child

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:55388

Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/home/surgeryweb/.spamassassin/bayes_toks
/home/surgeryweb/.spamassassin/bayes_seen
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm

Black Tiger · Post by **Black Tiger** » 12 May 2021, 15:46

I presume you restarted both csf and lfd afterwards.

If yes, then seems to me the only way is to ignore perl. I don't have the impression this bug will be fixed since it's there soo long already.

n2rga · Post by **n2rga** » 18 Sep 2021, 21:46

I have the same problem waiting on a fix I have Cloudlinux 8. Any luck?

ConfigServer Community Forum

Bug? Perl mails about spamd in Centos 8

Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8

Re: Bug? Perl mails about spamd in Centos 8