ConfigServer Community Forum

Hi,

I woke up and had 3500+ emails in my inbox from lfd with entries like:
(this is from the lfd.log) but emails contain same content just different format:
Jan 11 12:16:26 www lfd[9739]: *Suspicious Process* PID:2859 PPID:4762 User:www-data Uptime:2466 secs EXE:/usr/lib/apache2/mpm-prefork/apache2 CMD:/usr/sbin/apache2 -k start
Jan 11 12:16:31 www lfd[9739]: *Suspicious Process* PID:5401 PPID:14391 User:mysql Uptime:1508710 secs EXE:/usr/sbin/mysqld CMD:/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3307
Jan 11 12:16:33 www lfd[9739]: *Suspicious Process* PID:5590 PPID:5579 User:dovecot Uptime:794191 secs EXE:/usr/lib/dovecot/imap-login CMD:imap-login
Jan 11 12:16:34 www lfd[9739]: *Suspicious Process* PID:6840 PPID:4762 User:www-data Uptime:827 secs EXE:/usr/lib/apache2/mpm-prefork/apache2 CMD:/usr/sbin/apache2 -k start
Jan 11 12:16:53 www lfd[9739]: *Suspicious Process* PID:14599 PPID:14599 User:dkim-filter Uptime:804247 secs EXE:/usr/sbin/dkim-filter CMD:/usr/sbin/dkim-filter -x /etc/dkim-filter.conf -u dkim-filter -P /var/run/dkim-filter/dkim-filter.pid
Jan 11 12:16:53 www lfd[9739]: *Suspicious Process* PID:22901 PPID:5579 User:dovecot Uptime:196519 secs EXE:/usr/lib/dovecot/imap-login CMD:imap-login
Jan 11 12:16:54 www lfd[9739]: *Excessive Processes* User:www-data Kill:0 Process Count:33
Jan 11 15:46:01 www lfd[20015]: *User Processing* PID:19993 Kill:0 User:www-data VM:270(MB) EXE:/usr/lib/apache2/mpm-prefork/apache2 CMD:/usr/sbin/apache2 -k start

And it continues to kill me with emails.. please help what the H*ll is happening.
This happened exactly after I got an email about the upgrade:

Upgrading csf from v5.71 to 5.72...
Retrieving new csf package...
...0%
...5%
...10%
...15%
...20%
...25%
...30%
...35%
...40%
...45%
...50%
...55%
...60%
...65%
...70%
...75%
...80%
...85%
...90%
...95%
...100%


Unpacking new csf package...

Configuring for OS

Running csf generic installer

Installing generic csf and lfd

Check we're running as root

Checking Perl modules...Configuration modified for Debian/Ubuntu/Gentoo settings /etc/csf/csf.conf
ok

`alert.txt' -> `/etc/csf/alert.txt.new'


So too much coincidence this upgrade seems to be screwing up my server.. please help!

This is not a CSF issue, CSF is reporting that some processes where left behind after the last CPanel update.

Restart the process that is mentioned in the email, for instance if it says MYSQL then in WHM restart MYSQL, if it says DOVECOT restart DOVECOT, etc.

This has been discussed in the forum before.

Sergio

I posted the post here because these notification started a few minutes after CSF auto-updated itself.
That is too much coincidence for me.. before that this never happened.

Also I actually restarted the server completely and that didn't solve it.
At the end I upgraded the memory and white listed the apache process and it seems ok now.

I'm now just wondering if CSF 5.72 suddenly is using a lot more memory then it did before.

(also I'm not using Cpanel I don't have any control panel installed)

Now it is even sending me emails like:

Time: Sun Jan 13 02:07:45 2013 +0000
IP: {my ip}
Account: root
Method: password authentication


and a whoooole bunch of postfix / dovecot warnings like:
Time: Sun Jan 13 02:47:28 2013 +0000
PID: 23300 (Parent PID:3263)
Account: postfix
Uptime: 85 seconds

Executable:
/usr/lib/postfix/smtpd

Command Line (often faked in exploits):
smtpd -n 7538 -t inet -u -c -o stress=

Network connections by the process (if any):

tcp: 0.0.0.0:7538 -> 0.0.0.0:0
===
Time: Sun Jan 13 02:31:26 2013 +0000
Account: postfix
Resource: Process Time
Exceeded: 88391 > 1800 (seconds)
Executable: /usr/lib/postfix/tlsmgr
Command Line: tlsmgr -l -t unix -u -c
PID: 4138 (Parent PID:3263)
Killed: No
===

etc..
restarting postfix & dovecot does not make a difference.

In your first post you didn't tell all this, that is why I assumed that the processes were like I said.

Now, I think that the problem could be the file CXS.PIGNORE, check there if you have listed all this processes that have to be ignored by CSF.

Also check if you have latest 5.73

Hey,

Thanks for the help, I've updated to the latest version and we've (me and my hosting support) been trying a lot but it keeps bombing me with emails..

The file you mentioned has:
exe:/usr/lib/courier-imap/bin/pop3d
exe:/usr/lib/courier-imap/bin/imapd
exe:/usr/sbin/pure-ftpd
exe:/usr/local/apache/bin/httpd
exe:/usr/sbin/sshd
exe:/usr/sbin/proftpd
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/pop3
exe:/usr/sbin/named
exe:/usr/sbin/ntpd
exe:/bin/dbus-daemon
exe:/usr/sbin/ntpd
exe:/usr/sbin/exim4
exe:/sbin/ntpd
exe:/usr/lib/postfix/smtpd
exe:/usr/lib/postfix/pickup
exe:/usr/lib/dovecot/imap-login
exe:/usr/lib/apache2/mpm-prefork/apache2

However I'm still getting emails like (in the thousands):
Time: Mon Jan 14 22:15:22 2013 +0000
Account: www-data
Resource: Virtual Memory Size
Exceeded: 271 > 200 (MB)
Executable: /usr/lib/apache2/mpm-prefork/apache2
Command Line: /usr/sbin/apache2 -k start
PID: 1632 (Parent PID:17317)
Killed: No

Also I'm still getting PostFix warning (suspicions) but those are lot less quantity..

We tried reinstalling CSF completely and my hosting told me they also set memory limits inside CSF config for lfd to 300 mb (not sure where they did this, can't find this atm)

Seems like lfd really doesn't like me

Sorry to dig up an old thread but. . . I am having the exact same issue.

Ubuntu Server 12.04 LTS
Virtualmin 4.04.gpl/webmin 1.660
csf v6.39

NO CPANEL

I am also running Munin 1.4.6 and it seems to be one of the processes that keeps getting warning, maybe.


Did the OP figure this out?