LFD doesn't provide the path and filename of the offending script
Posted: 10 Aug 2019, 03:30
I installed csf & lfd, and osm on my server. I was trying to troubleshoot a spam issue (the server was sending spam), and these tools were very helpful in identifying where the issues might be. I already knew which cPanel account was responsible, and by searching the System logs in the ConfigServer Security & Firewall plugin section in the WHM, I was able to determine which scripts were likely responsible for this. Emails from lfd to me (root) reported them as suspicious, and I found one in the /dev/shm folder, and another file in the /var/tmp folder, which are areas in the server that this cPanel user (username was "outdoors") shouldn't have any access to. I deleted the files, and I removed the cron job created by the "outdoor"s account. (Cron job was periodically running one of these scripts). And I had the user's website re-installed from a clean backup. This should have taken care of the issue, and in a way, it did. There is no more spam going out from the server, and things seemed to return to normal, more or less. But there may still be another script running somewhere on the server, since I keep receiving these periodic emails from lfd (I think hourly) with the following content:
Time: Thu Aug 8 17:00:02 2019 -0700
Account: outdoors
Resource: Process Time
Exceeded: 115212 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: memc
PID: 23516 (Parent PID:23516)
Killed: No
Only the time and the number that represents seconds in the Exceeded field changes, and other than that the content of each email is the same.
Apparently, there is still something on the server that runs a perl script, but the only clue lfd gives me is that the command line is "memc". It doesn't tell me where to look at. (System log identified the full path and file name for the others I cleaned). I am not sure how to find this one, or what to do about it. I need help from the experienced users of these tools.
Time: Thu Aug 8 17:00:02 2019 -0700
Account: outdoors
Resource: Process Time
Exceeded: 115212 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: memc
PID: 23516 (Parent PID:23516)
Killed: No
Only the time and the number that represents seconds in the Exceeded field changes, and other than that the content of each email is the same.
Apparently, there is still something on the server that runs a perl script, but the only clue lfd gives me is that the command line is "memc". It doesn't tell me where to look at. (System log identified the full path and file name for the others I cleaned). I am not sure how to find this one, or what to do about it. I need help from the experienced users of these tools.