ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Prelink running as normal user

https://mail.forum.configserver.com/viewtopic.php?t=8251

Page 1 of 1

Prelink running as normal user

Posted: 12 Nov 2014, 20:58
by sparek
Has anybody started to recently get Excessive processes and Suspicious process message from LFD regarding the prelinking of /lib64/libfreebl3.so?

These appear to be running under normal user accounts, i.e.:

Code: Select all

lfd on host: Excessive processes running under user user1

User:user1 PID:10116 PPID:10099 Run Time:7(secs) Memory:1832(kb) exe:/usr/sbin/prelink cmd:/usr/sbin/prelink -u -o - /lib64/libfreebl3.so
Is this normal? I don't remember seeing it until recently (maybe started last week?).

I also see it in the ps output from the high load messages:

Code: Select all

32005    30387  0.0  0.0  99552 10604 ?        S    19:57   0:00  \_ webmaild - serving xx.xx.xx.xx
 32005    11601  0.1  0.0 128648  3300 ?        S    20:04   0:00  |   \_ /usr/local/cpanel/3rdparty/php/54/bin/php-cgi -c /usr/local/cpanel/3rdparty/php/54/etc/roundcube /usr/local/cpanel/base/3rdparty/roundcube/index.php
 32005    11608  0.0  0.0   1544   512 ?        D    20:04   0:00  |       \_ /usr/sbin/prelink -u -o - /lib64/libfreebl3.so-u -o - /lib64/libfreebl3.so
Just not sure if this should be alarming or if it's normal.

Re: Prelink running as normal user

Posted: 14 Nov 2014, 14:46
by northcide
Not sure if this is directly relevant, however I too, just very recently started to receive many alerts regarding prelink such as the example below. Not sure why, also not exactly sure if/how to disable this particular alert. It's a ton of noise all day long.

Time: Fri Nov 14 09:44:19 2014 -0500
File: /tmp/undo.#prelink#.o3c2LZ
Reason: Linux Binary
Owner: webuser1:webuser1 (593:594)
Action: No action taken

Anyone have any ideas?
Thanks!

Re: Prelink running as normal user

Posted: 01 Dec 2014, 17:48
by readyman
I too have begun receiving the /tmp/undo.#prelink#.XXXXXX emails as of a few days ago. Any ideas why this is happening and/or how to prevent it?

Thanks!

Re: Prelink running as normal user

Posted: 08 Dec 2014, 17:02
by joshc
Started getting these on a cPanel server today. Looking into this and following this thread.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited