ConfigServer Community Forum

Posted: **22 Mar 2013, 19:37**

We are running shoutcast server on a server.
Yesterday we moved this server, change nameservers etc. all is working fine except I keep getting messages about shoutcast like this:

Code: Select all

Time:    Fri Mar 22 14:16:52 2013 +0100
PID:     4379 (Parent PID:4379)
Account: admin
Uptime:  43310 seconds

Executable:

/home/admin/domains/mydomain.nl/public_html/shout/sc_serv

Command Line (often faked in exploits):

/home/admin/domains/mydomain.nl/public_html/shout/sc_serv /home/admin/domains/mydomain.nl/public_html/shout/sc_serv.conf

So I thought I would put this in csf.pignore, the same way we did on the old server like this:

Code: Select all

exe:/home/admin/domains/mydomain.nl/public_html/shout/sc_serv

I restarted csf and lfd and even restarted the complete server.

But I keep getting these messages for excessive resource usages as well as for suspicious process.
Maybe I'm doing something wrong, but I don't know what it is.

There is a cron job which checks every x minutes if the sc_serv is running and if not to start it.
Do I need to change exe to pexe or am I doing something wrong or is there something wrong with csf.pignore?

I could add the commandline to csf.pignore too, but it should be ignored already by using this exe setting shouldn't it?

Posted: **22 Mar 2013, 20:32**

Seems more things are not ignored, also Dovecot:

Code: Select all

Time:    Fri Mar 22 21:10:57 2013 +0100
PID:     20482 (Parent PID:19509)
Account: accountname
Uptime:  68 seconds

Executable:

/usr/libexec/dovecot/imap

Command Line (often faked in exploits):

dovecot/imap [user@domain.org 31.6.61.96 IDLE]

And csf.pignore has these lines:

Code: Select all

exe:/usr/libexec/dovecot/pop3-login
exe:/usr/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/imap

Dovecot and csf and lfd restarted, still get this mail.
What's happening?

Posted: **31 Mar 2013, 18:20**

At first I fixed this on this server, by reversing the rights and owner of /usr/bin/perl
I had protected it by doing:
chgrp apache /usr/bin/perl
chmod 705 /usr/bin/perl

I reverted it back to root:root and 755.

Now I got the same problem on another server without any change to perl:

Code: Select all

ime:    Sun Mar 31 17:56:51 2013 +0100
PID:     10103 (Parent PID:10103)
Account: admin
Uptime:  21738 seconds


Executable:

/home/admin/domains/server03.nl/public_html/control/shoutcast/1.9.8-Linux/sc_serv


Command Line (often faked in exploits):

/home/admin/domains/domain.nl/public_html/control/shoutcast/1.9.8-Linux/sc_serv /home/admin/domains/domain.nl/public_html/control/servers/80xxname.conf

And this is my exclude line in /etc/csf/csf.pignore:

Code: Select all

exe:/home/admin/domains/domain.nl/public_html/control/shoutcast/1.9.8-Linux/sc_serv

I restarted csf and lfd but keep getting these mails. The rest of CSF seems to work fine, no problems with imap on this one.

Nobody a clue?

ConfigServer Community Forum

csf.pignore not ignoring shoutcast?

csf.pignore not ignoring shoutcast?

Re: csf.pignore not ignoring shoutcast?

Re: csf.pignore not ignoring shoutcast?