ConfigServer Community Forum

Hi folks,
I recently had my datacenter update WHM/Cpanel to 11.36X and I've been getting flooded with hundreds of emails a day now indicating Suspicious processes and Excessive processes all related to webalizer for every account on my box.

My data center is suggesting trying increasing some of the process tracking directives for CSF.
I'm not understanding how updating Cpanel should require me to tame CSF so it's not triggered as easily. I like the warnings, I'm very paranoid, but I cant help but to think something is wrong since now that Cpanel has been upgraded I'm getting warnings off every site.

Wondering if someone could shed some light on this for me?

An example of the daily warnings that I get for each account on the server;
Excessive processes
<snippet>
User:finsnet PID:4958 PPID:25884 Run Time:37504041(secs) Memory:105440(kb) exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl cmd:cpanellogd - http logs for finsnet User:finsnet PID:4959 PPID:4958 Run Time:45(secs) Memory:3792(kb) exe:/usr/local/cpanel/bin/cpuwatch cmd:/usr/local/cpanel/bin/logrunner 12.0 /usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet
User:finsnet PID:4960 PPID:4959 Run Time:45(secs) Memory:41204(kb) exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english cmd:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet

--------------------------------------------------

Suspicious process
<snippet>
Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -N 10 -D /home/finsnet/tmp/webalizer/dns_cache.db -R 250 -p -n finsandfurnet -o /home/finsnet/tmp/webalizer /usr/local/apache/domlogs/finsandfurnet


Network connections by the process (if any):

udp: xx.xxx.xxx.xxx:xxxxx -> xxx.xx.xxx.x:xx


Files open by the process (if any):

/home/domlogs/finsandfurnet
/var/cpanel/locale/en.cdb
/home/finsnet/tmp/webalizer/dns_cache.db

Nobody can help me?
Did I just expose a bug that no one has had the chance to explore yet and patch, or did I just ask a really stupid question that doesnt deserve a reply?

Check your CSF.PIGNORE file for these lines:

exe:/usr/local/cpanel/3rdparty/bin/english/webalizer
exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english

if you don't have any of them add it and restart LSF.

Sergio

Thanks a ton Sergio.
Do I really want to ignore them though?
Were they ignored before I upgraded Cpanel? and if so, how would they get off my CSF ignore file?

I know I might look stupid, but I just want to make sure I'm not disabling alerts for this when it's an actual problem since it's never occurred before, and now occurs everyday.
I appreciate you assistance.

I was just informed that these did not exist on previous versions of Cpanel...so that would answer my question.
Thanks Sergio

Glad it worked for you.

Sergio