Excessive resource usage notifications

[t325]

I have a VPS server with the latest versions of cPanel and CSF. The VPS hosts a few websites for myself and some friends, not random strangers, so there's a higher level of trust with anyone who has access, so I don't really have to worry about any users doing stupid or dangerous things on the server, but I suppose there's always a chance one of them has a security hole in a script they're using. Anyways, starting a few days ago, I started getting a lot of excessive resource usage notifications, mostly surrounding process time. Here's a few:

Code: Select all

lfd on xxxxx: Excessive resource usage: xxxxx (13434 (Parent PID:13431))‏

Time: Wed Mar 13 17:24:27 2013 -0500
Account: xxxxx
Resource: Process Time
Exceeded: 1802 > 1800 (seconds)
Executable: /usr/libexec/openssh/sftp-server
Command Line: /usr/libexec/openssh/sftp-server
PID: 13434 (Parent PID:13431)
Killed: No

As I understand it, this is the SFTP process and there's not much to worry about. I've disabled FTP and require users to use SFTP. So the presence of this process makes sense. What doesn't make sense is why I suddenly started getting these. I've been known to leave SFTP and SSH connections to one of my user accounts on the server open on my local PC for hours or days on end when doing development work. Never got any e-mails. Not sure why these suddenly started, as I have not modified any CSF settings recently.

Code: Select all

lfd on xxxxx: Excessive resource usage: xxxxx (13915 (Parent PID:13811))‏

Time: Wed Mar 13 17:02:24 2013 -0500
Account: xxxxx
Resource: Process Time
Exceeded: 14173 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxx
PID: 13915 (Parent PID:13811)
Killed: No

If I understand this one, it's the process that processes Webalizer/AWstats logs. What I'm unsure about is why this is apparently running for 4 hours. Also, if I view processes as soon as I get this e-mail, there is no sign of this process running. I'd think that maybe csf was killing it (despite it saying it didn't), but the logs appear to be updating normally. Again, these e-mails are a recent development and no recent changes to csf or cPanel web log config.

Code: Select all

lfd on xxxxx: Suspicious process running under user xxxxx

Time: Wed Mar 13 09:06:37 2013 -0500
PID: 5736 (Parent PID:5721)
Account: xxxxx
Uptime: 62 seconds


Executable:

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english


Command Line (often faked in exploits):

/usr/local/cpanel/3rdparty/bin/webalizer_lang/english -c /home/xxxxx/tmp/webalizer/webalizer.conf -N 10 -D /home/xxxxx/tmp/webalizer/dns_cache.db -R 250 -p -n xxxxx. com -o /home/xxxxx/tmp/webalizer /usr/local/apache/domlogs/xxxxx. com.bkup


Network connections by the process (if any):

udp: X.X.X.X:60828 -> 4.2.2.4:53


Files open by the process (if any):

/usr/local/apache/domlogs/xxxxx. com.bkup
/var/cpanel/locale/en.cdb
/home/xxxxx/tmp/webalizer/dns_cache.db

More Webalizer. Not sure why this is flagged as suspicious, and not sure why I recently started getting these.

I know I could just add these processes to ignore and never see these e-mails again, but I'd like to find out why these are happening and prevent it, because all of these false positives are cluttering up my inbox and may hide any real problems.

Thanks.

[bouvrie]

Seeing as there has been no reply and in the off chance that this is related, me and more cPanel/LFD users have started getting excessive resource usage notifications, specifically related to the cpanellogd process. Here's an excerpt, reporting an outrageous runtime:

Code: Select all

Time:         Thu Mar 21 13:15:10 2013 +0100
Account:      xxxxx
Resource:     Process Time
Exceeded:     8641652 > 1800 (seconds)
Executable:   /usr/local/cpanel/3rdparty/perl/514/bin/perl
Command Line: cpanellogd - http logs for xxxxx
PID:          15120 (Parent PID:15091)
Killed:       No

In a thread on the cPanel forums at http://forums.cpanel.net/f5/cpanellogd- ... 25921.html, people seem to agree that this would indicate a cPanel issue, though given the long time reported in my case I wouldn't entirely rule out a possible csf/lfd bug.

Could anyone shed some light on this, and possibly confirm that the notifications are correct?

[ForumAdmin]

That's happening because cPanel moved to using their own perl build in v11.36 and the cPanel log processing drops privileges to each user as it processes them. We have included an example ignore line for csf.pignore since 11.36 was in beta in the latest version shipped with csf, i.e.:

Code: Select all

pcmd:cpanellogd - (http|ftp) logs for .*

You can add that to /etc/csf/csf.pignore and then restart lfd and the processes will be ignored. The webalizer binary can obviously be ignored with a simple line for the executable (this is also included in the current csf.pignore shipping with csf).

[bouvrie]

That's happening because cPanel moved to using their own perl build in v11.36 and the cPanel log processing drops privileges to each user as it processes them.

Ok, so the account mentioned in the lfd High Resource Usage reports is only that momentarily active privilege-dropped user, as opposed to the Account that the cPanel log processing process has been running under all the time?

I am wary of ignoring reports that may not be false positives; is it safe to assume that this perpetually log-processing process is OK and that only one exists at any point in time?