Portal Home > Knowledgebase > Articles Database > Suspicious process running under user xxxx
Suspicious process running under user xxxx
| Posted by AL-Kateb, 03-04-2010, 08:17 AM |
| Hello everybody,
i have web hosting server with cPenal installed and i installed csf + lfd so today i got an email address from LFD
PID: 5947
Account: xyxyxyx
Uptime: 37777 seconds
Executable:
/usr/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:56935
udp: x.x.x.x:21804 -> y.y.y.y:53
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
i was wondering is this normal behavior of spam Assassin being misunderstood by lfd?
though this fil /VBounce.pm does not exist! .. how do i actually track such thing when it happens? i tried grepping the PID but the process is not there anymore.
Thanks for your help in advance
|
| Posted by bear, 03-04-2010, 08:27 AM |
| CSF will see this as a problem, but if you've investigated and it truly is an SA process, you can safely ignore it. If you're feeling confident that it's a false positive and want to stop hearing about "spamd", you can add the process to "/etc/csf/csf.pignore" (process ignore).
http://forum.configserver.com/showthread.php?t=2059
|
| Posted by madaboutlinux, 03-04-2010, 08:53 AM |
| CSF with it's default configuration will send such false alarms quite a lot. The email you received regarding the "Suspicious process" is a false alarm and can safely be ignored.
However, you can edit the csf configuration file and configure it as per your needs to make sure such false positives are not detected.
|
| Posted by AL-Kateb, 03-04-2010, 09:17 AM |
| Thanks for your quick replies ... and yes they are false alarms am getting lots of those about cpanelogd clamd and this spamd so am adding them all to the csf.pignore
thanks again
|
| Posted by rustelekom, 03-04-2010, 03:38 PM |
| will be better if you investigte why spamd took so many time for this user. in most case this is due to his account have a lot of unread email (most is spam usually). also check his quota and also .bayes* files for size.
|
Add to Favourites 
Print this Article
Also Read
