Page 1 of 1

lfd not reading csf.pignore file

Posted: 27 Mar 2017, 18:33
by guygreg2
The server admin address gets the following alerts about once a minute:
Time: Mon Mar 27 13:19:19 2017 -0400
PID: 3696 (Parent PID:1399)
Account: grais40
Uptime: 88 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/524/bin/perl


Command Line (often faked in exploits):

cpdavd (CalDAV/CardDAV) - authenticated as user@example.com


Network connections by the process (if any):

tcp: 0.0.0.0:2077 -> 0.0.0.0:0
tcp: 0.0.0.0:2078 -> 0.0.0.0:0
tcp: 0.0.0.0:2079 -> 0.0.0.0:0
tcp: 0.0.0.0:2080 -> 0.0.0.0:0
tcp: 23.254.XXX.XXX:2080 -> 67.62.XXX.XXX:49568

Code: Select all

[root@mail /]# find -name cpdavd
./usr/local/cpanel/libexec/cpdavd
./usr/local/cpanel/src/chkservd/chkserv.d/cpdavd
./usr/local/cpanel/etc/init/scripts/centos/cpdavd
./usr/local/cpanel/cpdavd
./run/chkservd/cpdavd
./run/chkservd/restart_track/cpdavd
./var/cpanel/serviceauth/cpdavd
./var/cpanel/cphulkd/keys/cpdavd
./var/cpanel/dormant_services/cpdavd
./etc/chkserv.d/cpdavd
Relevant lines in /etc/csf/csf.pignore:

Code: Select all

exe:/usr/local/cpanel/cpdavd
exe:/usr/local/cpanel/libexec/cpdavd
user:grais40 
Server restarted, but alerts continue. lfd doesn't seem to be reading this config file.

Code: Select all

[root@mail csf]# uname -a
Linux mail.gra-inc.com 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 00:04:05 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

[root@mail csf]# perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration:

  Platform:
    osname=linux, osvers=2.6.32-573.18.1.el6.x86_64, archname=x86_64-linux-thread-multi
    uname='linux worker1.bsys.centos.org 2.6.32-573.18.1.el6.x86_64 #1 smp tue feb 9 22:46:17 utc 2016 x86_64 x86_64 x86_64 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wl,-z,relro  -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-11)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -fstack-protector'
    libpth=/usr/local/lib64 /lib64 /usr/lib64
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.17'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro '


Characteristics of this binary (from libperl):
  Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
                        PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT
                        PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL
                        USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
                        USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API USE_SITECUSTOMIZE
  Locally applied patches:
        Fedora Patch1: Removes date check, Fedora/RHEL specific
        Fedora Patch3: support for libdir64
        Fedora Patch4: use libresolv instead of libbind
        Fedora Patch5: USE_MM_LD_RUN_PATH
        Fedora Patch6: Skip hostname tests, due to builders not being network capable
        Fedora Patch7: Dont run one io test due to random builder failures
        Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054)
        Fedora Patch10: Fix broken atof (RT#109318)
        Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)
        Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980)
        Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)
        Fedora Patch16: Do not leak with attribute on my variable (RT#114764)
        Fedora Patch17: Allow operator after numeric keyword argument (RT#105924)
        Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)
        Fedora Patch19: Do not crash when vivifying $|
        Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)
        Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)
        Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]
        Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]
        Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]
        Fedora Patch25: Fix dead lock in PerlIO after fork from thread (RT#106212)
        Fedora Patch26: Make regexp safe in a signal handler (RT#114878)
        Fedora Patch27: Update h2ph(1) documentation (RT#117647)
        Fedora Patch28: Update pod2html(1) documentation (RT#117623)
        Fedora Patch29: Document Math::BigInt::CalcEmu requires Math::BigInt (CPAN RT#85015)
        RHEL Patch30: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591)
        RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912)
        RHEL Patch32: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338)
        RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test
        RHEL Patch34: Make File::Glob work with threads again
        RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN RT#41642)
        RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN RT#123786)
        RHEL Patch37: Fix duplicating PerlIO::encoding when spawning threads (RT#31923)
        RHEL Patch38: Backported libraries historically supplied with Perl 4
  Built under linux
  Compiled at Nov  6 2016 01:30:49
  @INC:
    /usr/local/lib64/perl5
    /usr/local/share/perl5
    /usr/lib64/perl5/vendor_perl
    /usr/share/perl5/vendor_perl
    /usr/lib64/perl5
    /usr/share/perl5
    .

Re: lfd not reading csf.pignore file

Posted: 27 Mar 2017, 19:53
by guygreg2
Edited /etc/csf/csf.conf, set PT_USERTIME = 0.
csf -r
service lfd restart

Still getting alerts.
Did a search to see if there was another csf directory on the system, like this one wasn't actually the one that was running, but didn't find anything.

Re: lfd not reading csf.pignore file

Posted: 05 Jul 2017, 08:44
by chessmango
Seeing the same thing here - also not going away after having added cmd:cpdavd to csf.pignore.

Code: Select all

[root@hostname ~]# uname -a
Linux hostname.example.com 2.6.32-042stab123.1 #1 SMP Wed Mar 22 15:21:30 MSK 2017 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

[root@hostname ~]# perl -V
Summary of my perl5 (revision 5 version 16 subversion 3) configuration:

  Platform:
    osname=linux, osvers=2.6.32-573.18.1.el6.x86_64, archname=x86_64-linux-thread-multi
    uname='linux worker1.bsys.centos.org 2.6.32-573.18.1.el6.x86_64 #1 smp tue feb 9 22:46:17 utc 2016 x86_64 x86_64 x86_64 gnulinux '
    config_args='-des -Doptimize=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Dccdlflags=-Wl,--enable-new-dtags -Dlddlflags=-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -Wl,-z,relro  -DDEBUGGING=-g -Dversion=5.16.3 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.8.5 20150623 (Red Hat 4.8.5-11)', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -fstack-protector'
    libpth=/usr/local/lib64 /lib64 /usr/lib64
    libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.17'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags -Wl,-rpath,/usr/lib64/perl5/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro '


Characteristics of this binary (from libperl):
  Compile-time options: HAS_TIMES MULTIPLICITY PERLIO_LAYERS
                        PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT
                        PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL
                        USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES
                        USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
                        USE_REENTRANT_API USE_SITECUSTOMIZE
  Locally applied patches:
        Fedora Patch1: Removes date check, Fedora/RHEL specific
        Fedora Patch3: support for libdir64
        Fedora Patch4: use libresolv instead of libbind
        Fedora Patch5: USE_MM_LD_RUN_PATH
        Fedora Patch6: Skip hostname tests, due to builders not being network capable
        Fedora Patch7: Dont run one io test due to random builder failures
        Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054)
        Fedora Patch10: Fix broken atof (RT#109318)
        Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)
        Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980)
        Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)
        Fedora Patch16: Do not leak with attribute on my variable (RT#114764)
        Fedora Patch17: Allow operator after numeric keyword argument (RT#105924)
        Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)
        Fedora Patch19: Do not crash when vivifying $|
        Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)
        Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)
        Fedora Patch22: Fix leaking tied hashes (RT#107000) [1]
        Fedora Patch23: Fix leaking tied hashes (RT#107000) [2]
        Fedora Patch24: Fix leaking tied hashes (RT#107000) [3]
        Fedora Patch25: Fix dead lock in PerlIO after fork from thread (RT#106212)
        Fedora Patch26: Make regexp safe in a signal handler (RT#114878)
        Fedora Patch27: Update h2ph(1) documentation (RT#117647)
        Fedora Patch28: Update pod2html(1) documentation (RT#117623)
        Fedora Patch29: Document Math::BigInt::CalcEmu requires Math::BigInt (CPAN RT#85015)
        RHEL Patch30: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591)
        RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912)
        RHEL Patch32: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338)
        RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test
        RHEL Patch34: Make File::Glob work with threads again
        RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN RT#41642)
        RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN RT#123786)
        RHEL Patch37: Fix duplicating PerlIO::encoding when spawning threads (RT#31923)
        RHEL Patch38: Backported libraries historically supplied with Perl 4
  Built under linux
  Compiled at Nov  6 2016 01:30:49
  @INC:
    /usr/local/lib64/perl5
    /usr/local/share/perl5
    /usr/lib64/perl5/vendor_perl
    /usr/share/perl5/vendor_perl
    /usr/lib64/perl5
    /usr/share/perl5
    .