HOWTO: CSF Firewall + LFD Login Failure Daemon

bas1968

Verified User
Joined
May 31, 2006
Messages
70
Installed csf but lfd doesn't want to run.

Status of lfd:lfd is stopped. I can't get it running, the firewall seems to run normal.
 

bas1968

Verified User
Joined
May 31, 2006
Messages
70
I just tried a few thing and downloaded the csf.conf. Now I am getting this error:

Starting lfd:Can't locate Time/HiRes.pm in @INC (@INC contains: /etc/csf /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/sbin/lfd line 4102, line 290.
BEGIN failed--compilation aborted at /usr/sbin/lfd line 4102, line 290.
 

Cyber-DL

Verified User
Joined
Jun 21, 2008
Messages
49
hi , thank's for your Howto , i've many problem in Check Server Security and must be Solve

1-
Code:
Check exim weak SSL/TLS Ciphers (tls_require_ciphers)	WARNING	Cipher list []. Due to weaknesses in the SSLv2 cipher you should edit /etc/exim.conf and set tls_require_ciphers to explicitly exclude it. For example:
tls_require_ciphers=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
and

Code:
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)	
     WARNING	
Cipher list []. Due to weaknesses in the SSLv2 cipher you should /etc/dovecot.conf and set ssl_cipher_list to explicitly exclude it. For example:
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
BUT these values didn't exist , for example tls_require_ciphers didn't exist to set ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP for that ,

and ssl_cipher_list for

2-
Code:
Check VPS FTP PASV hole
	WARNING	
Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,202
Location
LT, EU
hi , thank's for your Howto , i've many problem in Check Server Security and must be Solve

1-
Code:
Check exim weak SSL/TLS Ciphers (tls_require_ciphers)    WARNING    Cipher list []. Due to weaknesses in the SSLv2 cipher you should edit /etc/exim.conf and set tls_require_ciphers to explicitly exclude it. For example:
tls_require_ciphers=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
and

Code:
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)    
     WARNING    
Cipher list []. Due to weaknesses in the SSLv2 cipher you should /etc/dovecot.conf and set ssl_cipher_list to explicitly exclude it. For example:
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
BUT these values didn't exist , for example tls_require_ciphers didn't exist to set ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP for that ,

and ssl_cipher_list for

2-
Code:
Check VPS FTP PASV hole
    WARNING    
Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this
1. You can just update exim.conf and dovecot.conf to solve the problem.
http://help.directadmin.com/item.php?id=51 and:
Code:
wget -O /etc/dovecot.conf http://files.directadmin.com/services/custombuild/dovecot.conf
/etc/init.d/dovecot restart
2. http://help.directadmin.com/item.php?id=71, open FTP passive ports in the firewall configuration.
 

Cyber-DL

Verified User
Joined
Jun 21, 2008
Messages
49
i updated Exim by Update.Script , i think that's latest version , !!

it's neccesary to update Exim by this Steps ?

Code:
The latest release is 4.69. This is a bug fix release in the 4.xx series of releases - see the download pages. Documentation was updated for 4.69.
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,202
Location
LT, EU
I was talking about exim configuration file, not exim itself.
 

Cyber-DL

Verified User
Joined
Jun 21, 2008
Messages
49
i see another error in CSF :

Code:
Check nameservers	
      WARNING	
At least one of the configured nameservers:
ns1.vpspersia.com
ns2.vpspersia.com
should be located in a topologically and geographically dispersed location on the Internet - See RFC 2182 (Section 3.1)
 

littleoak

Verified User
Joined
Jul 19, 2008
Messages
156
Location
Chicago, IL
The warning means that both ns1.vpspersia.com and ns2.vpspersia.com are set up on the same server. For best practices you'd have ns1.vpspersia.com on one server and ns2.vpspersia.com on a different server in case one went offline.

Your firewall will work fine if you ignore this warning.
 

nimafire

Verified User
Joined
Aug 10, 2008
Messages
246
hello. when i have install and change test 0 to 1 and restart it.
no one can access to any website ,ssh,direct admin and ... .
and i must service csf stop and then uninstall it on concole( hyper vm )

whats wrong with it ?
 

Cyber-DL

Verified User
Joined
Jun 21, 2008
Messages
49
did you configed CSF ? you must Open many ports that your services works on it ,

for example , SSH work on 22 , HTTPD work on 80 , and ..
so in CSF config file open your services ports
 

eymbo

Verified User
Joined
Mar 28, 2006
Messages
69
The configuration states that it works with pure-ftp. But does LFD work well with proftpd?

Thanks.
 

tuumke

Verified User
Joined
Jul 21, 2009
Messages
5
hm i followed the tutorial according to my VPS provider, to secure the vps system.
now i seem to have problems receiving mails on my domains?!?!?
here are some of the lines of the maillog in /var/log

[root@panel ~]# mc
maillog [----] 0 L:[13137+57 13194/13194] *(1340992/1340992b)= <EOF>
Jul 21 14:00:03 panel spamd[5480]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:00:16 panel spamd[5505]: logger: removing stderr method
Jul 21 14:00:41 panel spamd[5507]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:00:41 panel spamd[5507]: spamd: server pid: 5507
Jul 21 14:00:41 panel spamd[5507]: spamd: server successfully spawned child process, pid 5509
Jul 21 14:00:41 panel spamd[5507]: spamd: server successfully spawned child process, pid 5510
Jul 21 14:00:41 panel spamd[5507]: prefork: child states: II
Jul 21 14:01:02 panel spamd[5538]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:01:03 panel spamd[5538]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:01:04 panel spamd[5538]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:01:17 panel spamd[5563]: logger: removing stderr method
Jul 21 14:01:42 panel spamd[5565]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:01:42 panel spamd[5565]: spamd: server pid: 5565
Jul 21 14:01:42 panel spamd[5565]: spamd: server successfully spawned child process, pid 5567
Jul 21 14:01:42 panel spamd[5565]: spamd: server successfully spawned child process, pid 5568
Jul 21 14:01:42 panel spamd[5565]: prefork: child states: II
Jul 21 14:02:02 panel spamd[5594]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:02:03 panel spamd[5594]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:02:04 panel spamd[5594]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:02:17 panel spamd[5619]: logger: removing stderr method
Jul 21 14:02:41 panel spamd[5621]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:02:41 panel spamd[5621]: spamd: server pid: 5621
Jul 21 14:02:41 panel spamd[5621]: spamd: server successfully spawned child process, pid 5623
Jul 21 14:02:41 panel spamd[5621]: spamd: server successfully spawned child process, pid 5624
Jul 21 14:02:41 panel spamd[5621]: prefork: child states: II
Jul 21 14:03:01 panel spamd[5650]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:03:02 panel spamd[5650]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:03:03 panel spamd[5650]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:03:17 panel spamd[5680]: logger: removing stderr method
Jul 21 14:03:42 panel spamd[5682]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:03:42 panel spamd[5682]: spamd: server pid: 5682
Jul 21 14:03:42 panel spamd[5682]: spamd: server successfully spawned child process, pid 5684
Jul 21 14:03:42 panel spamd[5682]: spamd: server successfully spawned child process, pid 5685
Jul 21 14:03:42 panel spamd[5682]: prefork: child states: IS
Jul 21 14:03:42 panel spamd[5682]: prefork: child states: II
Jul 21 14:04:01 panel spamd[5711]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:04:02 panel spamd[5711]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:04:03 panel spamd[5711]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:04:17 panel spamd[5736]: logger: removing stderr method
Jul 21 14:04:42 panel spamd[5738]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:04:42 panel spamd[5738]: spamd: server pid: 5738
Jul 21 14:04:42 panel spamd[5738]: spamd: server successfully spawned child process, pid 5740
Jul 21 14:04:42 panel spamd[5738]: spamd: server successfully spawned child process, pid 5741
Jul 21 14:04:42 panel spamd[5738]: prefork: child states: II
Jul 21 14:05:01 panel spamd[5767]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:05:02 panel spamd[5767]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:05:03 panel spamd[5767]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:05:17 panel spamd[5792]: logger: removing stderr method
Jul 21 14:05:41 panel spamd[5794]: spamd: server started on port 783/tcp (running version 3.2.5)
Jul 21 14:05:41 panel spamd[5794]: spamd: server pid: 5794
Jul 21 14:05:41 panel spamd[5794]: spamd: server successfully spawned child process, pid 5796
Jul 21 14:05:41 panel spamd[5794]: spamd: server successfully spawned child process, pid 5797
Jul 21 14:05:41 panel spamd[5794]: prefork: child states: II
Jul 21 14:06:01 panel spamd[5823]: server socket setup failed, retry 1: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:06:02 panel spamd[5823]: server socket setup failed, retry 2: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:06:03 panel spamd[5823]: spamd: could not create INET socket on 127.0.0.1:783: Address already in use
Jul 21 14:06:16 panel spamd[5848]: logger: removing stderr method
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
It's taken me a while to respond to this; I hope you have a response by now.

However, the first step I'd take would be to check with your VPS provider to find out if you can create a socket the way spamd wants to do it. If not, then you may need to ask them for a workaround.

Jeff
 

tuumke

Verified User
Joined
Jul 21, 2009
Messages
5
It's taken me a while to respond to this; I hope you have a response by now.

However, the first step I'd take would be to check with your VPS provider to find out if you can create a socket the way spamd wants to do it. If not, then you may need to ask them for a workaround.

Jeff
hey there jeff
i found the solution myself :)
as almost always, it was something i'd done myself.
under "check server security"
one of the advises was:
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject +received_recipients
to /etc/exim.conf

so i did, and then i stopped almost all mail
so i removed it again, and it worked fine again :)
-edit-
but now i get a lot of suspisous process running :(

Time: Sun Jul 26 10:12:02 2009 +0200
PID: 1067
Account: mysql
Uptime: 408895 seconds


Executable:

/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted)

The file system shows this process is running an executable file that has been deleted. This typically happens when the original file has been replaced by a new file when the application is updated. To prevent this being reported again, restart the process that runs this excecutable file. See csf.conf and the PT_DELETED text for more information about the security implications of processes running deleted executable files.


Command Line (often faked in exploits):

/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --pid-file=/var/lib/mysql/panel.gmwhosting.nl.pid --skip-external-locking


Network connections by the process (if any):

tcp: 0.0.0.0:3306 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/var/lib/mysql/panel.gmwhosting.nl.err
/var/lib/mysql/panel.gmwhosting.nl.err
/var/lib/mysql/ibdata1
/tmp/ibU4c1Ht (deleted)
/tmp/ibxYHhij (deleted)
/tmp/ibg2wyS8 (deleted)
/tmp/ibLiJAvY (deleted)
/var/lib/mysql/ib_logfile0
/var/lib/mysql/ib_logfile1
/tmp/iba8i0hO (deleted)
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_groups.MYI
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_sections.MYI
/var/lib/mysql/tu1s_site/wp_options.MYI
/var/lib/mysql/visagiebyb_joom/jos_users.MYD
/var/lib/mysql/tu1s_site/wp_options.MYD
/var/lib/mysql/visagiebyb_joom/jos_poll_date.MYI
/var/lib/mysql/print4stud_main/nieuws.MYI
/var/lib/mysql/visagiebyb_joom/jos_plugins.MYI
/var/lib/mysql/visagiebyb_joom/jos_session.MYI
/var/lib/mysql/visagiebyb_joom/jos_sections.MYI
/var/lib/mysql/visagiebyb_joom/jos_poll_menu.MYI
/var/lib/mysql/tu1s_site/wp_users.MYI
/var/lib/mysql/visagiebyb_joom/jos_weblinks.MYI
/var/lib/mysql/print4stud_main/pagina.MYI
/var/lib/mysql/visagiebyb_joom/jos_groups.MYI
/var/lib/mysql/tu1s_site/wp_ngg_pictures.MYI
/var/lib/mysql/visagiebyb_joom/jos_menu.MYI
/var/lib/mysql/visagiebyb_joom/jos_stats_agents.MYD
/var/lib/mysql/visagiebyb_joom/jos_sections.MYD
/var/lib/mysql/tu1s_site/wp_forum_forums.MYI
/var/lib/mysql/visagiebyb_joom/jos_newsfeeds.MYI
/var/lib/mysql/tu1s_site/wp_forum_posts.MYI
/var/lib/mysql/visagiebyb_joom/jos_bannertrack.MYI
/var/lib/mysql/visagiebyb_joom/jos_polls.MYD
/var/lib/mysql/tu1s_site/wp_forum_threads.MYI
/var/lib/mysql/tu1s_site/wp_postmeta.MYI
/var/lib/mysql/tu1s_site/wp_comments.MYI
/var/lib/mysql/visagiebyb_joom/jos_session.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_log_items.MYI
/var/lib/mysql/visagiebyb_joom/jos_users.MYI
/var/lib/mysql/visagiebyb_joom/jos_templates_menu.MYI
/var/lib/mysql/visagiebyb_joom/jos_templates_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_poll_data.MYI
/var/lib/mysql/visagiebyb_joom/jos_modules.MYI
/var/lib/mysql/tu1s_site/wp_posts.MYI
/var/lib/mysql/visagiebyb_joom/jos_core_acl_groups_aro_map.MYI
/var/lib/mysql/visagiebyb_joom/jos_polls.MYI
/var/lib/mysql/visagiebyb_joom/jos_poll_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_jm_portfolio_settings.MYI
/var/lib/mysql/tu1s_site/wp_forum_groups.MYI
/var/lib/mysql/visagiebyb_joom/jos_core_log_searches.MYI
/var/lib/mysql/visagiebyb_joom/jos_content_frontpage.MYI
/var/lib/mysql/print4stud_main/nieuws.MYD
/var/lib/mysql/tu1s_site/wp_usermeta.MYI
/var/lib/mysql/visagiebyb_joom/jos_weblinks.MYD
/var/lib/mysql/tu1s_site/wp_term_taxonomy.MYI
/var/lib/mysql/visagiebyb_joom/jos_categories.MYI
/var/lib/mysql/visagiebyb_joom/jos_content_rating.MYI
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_map.MYI
/var/lib/mysql/visagiebyb_joom/jos_menu_types.MYI
/var/lib/mysql/visagiebyb_joom/jos_contactus_vars.MYI
/var/lib/mysql/visagiebyb_joom/jos_components.MYI
/var/lib/mysql/tu1s_site/wp_term_relationships.MYI
/var/lib/mysql/visagiebyb_joom/jos_contact_details.MYI
/var/lib/mysql/visagiebyb_joom/jos_content.MYI
/var/lib/mysql/gmwhosting_main/nieuws.MYI
/var/lib/mysql/visagiebyb_joom/jos_components.MYD
/var/lib/mysql/visagiebyb_joom/jos_categories.MYD
/var/lib/mysql/visagiebyb_joom/jos_bannertrack.MYD
/var/lib/mysql/visagiebyb_joom/jos_messages.MYI
/var/lib/mysql/visagiebyb_joom/jos_stats_agents.MYI
/var/lib/mysql/visagiebyb_joom/jos_bannerclient.MYI
/var/lib/mysql/visagiebyb_joom/jos_bannerclient.MYD
/var/lib/mysql/tu1s_site/wp_ngg_gallery.MYI
/var/lib/mysql/visagiebyb_joom/jos_banner.MYI
/var/lib/mysql/visagiebyb_joom/jos_banner.MYD
/var/lib/mysql/visagiebyb_joom/jos_contact_details.MYD
/var/lib/mysql/tu1s_site/wp_posts.MYD
/var/lib/mysql/tu1s_site/wp_terms.MYI
/var/lib/mysql/tu1s_site/wp_terms.MYD
/var/lib/mysql/visagiebyb_joom/jos_migration_backlinks.MYI
/var/lib/mysql/tu1s_site/wp_term_taxonomy.MYD
/var/lib/mysql/tu1s_site/wp_term_relationships.MYD
/var/lib/mysql/tu1s_site/wp_postmeta.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro.MYI
/var/lib/mysql/visagiebyb_joom/jos_contactus_vars.MYD
/var/lib/mysql/tu1s_site/wp_forum_threads.MYD
/var/lib/mysql/tu1s_site/wp_forum_forums.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_map.MYD
/var/lib/mysql/visagiebyb_joom/jos_modules_menu.MYI
/var/lib/mysql/tu1s_site/wp_forum_groups.MYD
/var/lib/mysql/visagiebyb_joom/jos_content.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_groups.MYD
/var/lib/mysql/visagiebyb_joom/jos_content_frontpage.MYD
/var/lib/mysql/visagiebyb_joom/jos_content_rating.MYD
/var/lib/mysql/tu1s_site/wp_users.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro.MYD
/var/lib/mysql/tu1s_site/wp_usermeta.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_aro_sections.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_acl_groups_aro_map.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_log_items.MYD
/var/lib/mysql/visagiebyb_joom/jos_core_log_searches.MYD
/var/lib/mysql/visagiebyb_joom/jos_groups.MYD
/var/lib/mysql/tu1s_site/wp_forum_posts.MYD
/var/lib/mysql/visagiebyb_joom/jos_jm_portfolio_settings.MYD
/var/lib/mysql/visagiebyb_joom/jos_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_menu_types.MYD
/var/lib/mysql/visagiebyb_joom/jos_messages.MYD
/var/lib/mysql/visagiebyb_joom/jos_messages_cfg.MYI
/var/lib/mysql/visagiebyb_joom/jos_messages_cfg.MYD
/var/lib/mysql/visagiebyb_joom/jos_migration_backlinks.MYD
/var/lib/mysql/visagiebyb_joom/jos_modules.MYD
/var/lib/mysql/visagiebyb_joom/jos_modules_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_newsfeeds.MYD
/var/lib/mysql/visagiebyb_joom/jos_plugins.MYD
/var/lib/mysql/visagiebyb_joom/jos_poll_data.MYD
/var/lib/mysql/tu1s_site/wp_comments.MYD
/var/lib/mysql/visagiebyb_joom/jos_poll_date.MYD
/var/lib/mysql/visagiebyb_joom/jos_poll_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_polls.MYD
/var/lib/mysql/print4stud_main/pagina.MYD
/var/lib/mysql/gmwhosting_main/nieuws.MYD
/var/lib/mysql/tu1s_site/wp_ngg_gallery.MYD
/var/lib/mysql/tu1s_site/wp_ngg_pictures.MYD
/var/lib/mysql/visagiebyb_joom/jos_sections.MYD
/var/lib/mysql/visagiebyb_joom/jos_session.MYD
/var/lib/mysql/visagiebyb_joom/jos_stats_agents.MYD
/var/lib/mysql/visagiebyb_joom/jos_templates_menu.MYD
/var/lib/mysql/visagiebyb_joom/jos_users.MYD
/var/lib/mysql/visagiebyb_joom/jos_weblinks.MYD


Memory maps by the process (if any):

00400000-00a60000 r-xp 00000000 08:01 264262 /usr/sbin/mysqld
00b5f000-00ca5000 rw-p 0065f000 08:01 264262 /usr/sbin/mysqld
00ca5000-00cb9000 rw-p 00ca5000 00:00 0
00da4000-00e2e000 rw-p 007a4000 08:01 264262 /usr/sbin/mysqld
16e43000-18028000 rw-p 16e43000 00:00 0 413a7000-413a8000 ---p 413a7000 00:00 0 413a8000-41da8000 rw-p 413a8000 00:00 0 41da8000-41da9000 ---p 41da8000 00:00 0 41da9000-427a9000 rw-p 41da9000 00:00 0 427a9000-427aa000 ---p 427a9000 00:00 0 427aa000-431aa000 rw-p 427aa000 00:00 0 431aa000-431ab000 ---p 431aa000 00:00 0 431ab000-43bab000 rw-p 431ab000 00:00 0 43bab000-43bac000 ---p 43bab000 00:00 0 43bac000-445ac000 rw-p 43bac000 00:00 0 445ac000-445ad000 ---p 445ac000 00:00 0 445ad000-44fad000 rw-p 445ad000 00:00 0 44fad000-44fae000 ---p 44fad000 00:00 0 44fae000-459ae000 rw-p 44fae000 00:00 0 459ae000-459af000 ---p 459ae000 00:00 0 459af000-463af000 rw-p 459af000 00:00 0 463af000-463b0000 ---p 463af000 00:00 0 463b0000-463f0000 rw-p 463b0000 00:00 0 463f0000-463f1000 ---p 463f0000 00:00 0 463f1000-46431000 rw-p 463f1000 00:00 0 46431000-46432000 ---p 46431000 00:00 0 46432000-46472000 rw-p 46432000 00:00 0 46472000-46473000 ---p 46472000 00:00 0 46473000-464b3000 rw-p 46473000 00:00 0 464b3000-464b4000 ---p 464b3000 00:00 0 464b4000-464f4000 rw-p 464b4000 00:00 0
348b400000-348b41c000 r-xp 00000000 08:01 1753093 /lib64/ld-2.5.so
348b61b000-348b61c000 r--p 0001b000 08:01 1753093 /lib64/ld-2.5.so
348b61c000-348b61d000 rw-p 0001c000 08:01 1753093 /lib64/ld-2.5.so
348b800000-348b94c000 r-xp 00000000 08:01 1753096 /lib64/libc-2.5.so
348b94c000-348bb4c000 ---p 0014c000 08:01 1753096 /lib64/libc-2.5.so
348bb4c000-348bb50000 r--p 0014c000 08:01 1753096 /lib64/libc-2.5.so
348bb50000-348bb51000 rw-p 00150000 08:01 1753096 /lib64/libc-2.5.so
348bb51000-348bb56000 rw-p 348bb51000 00:00 0
348bc00000-348bc02000 r-xp 00000000 08:01 1753099 /lib64/libdl-2.5.so
348bc02000-348be02000 ---p 00002000 08:01 1753099 /lib64/libdl-2.5.so
348be02000-348be03000 r--p 00002000 08:01 1753099 /lib64/libdl-2.5.so
348be03000-348be04000 rw-p 00003000 08:01 1753099 /lib64/libdl-2.5.so
348c400000-348c416000 r-xp 00000000 08:01 1753113 /lib64/libpthread-2.5.so
348c416000-348c615000 ---p 00016000 08:01 1753113 /lib64/libpthread-2.5.so
348c615000-348c616000 r--p 00015000 08:01 1753113 /lib64/libpthread-2.5.so
348c616000-348c617000 rw-p 00016000 08:01 1753113 /lib64/libpthread-2.5.so
348c617000-348c61b000 rw-p 348c617000 00:00 0
348cc00000-348cc82000 r-xp 00000000 08:01 1753122 /lib64/libm-2.5.so
348cc82000-348ce81000 ---p 00082000 08:01 1753122 /lib64/libm-2.5.so
348ce81000-348ce82000 r--p 00081000 08:01 1753122 /lib64/libm-2.5.so
348ce82000-348ce83000 rw-p 00082000 08:01 1753122 /lib64/libm-2.5.so
348d000000-348d009000 r-xp 00000000 08:01 1753104 /lib64/libcrypt-2.5.so
348d009000-348d208000 ---p 00009000 08:01 1753104 /lib64/libcrypt-2.5.so
348d208000-348d209000 r--p 00008000 08:01 1753104 /lib64/libcrypt-2.5.so
348d209000-348d20a000 rw-p 00009000 08:01 1753104 /lib64/libcrypt-2.5.so
348d20a000-348d238000 rw-p 348d20a000 00:00 0
348d400000-348d407000 r-xp 00000000 08:01 1753114 /lib64/librt-2.5.so
348d407000-348d607000 ---p 00007000 08:01 1753114 /lib64/librt-2.5.so
348d607000-348d608000 r--p 00007000 08:01 1753114 /lib64/librt-2.5.so
348d608000-348d609000 rw-p 00008000 08:01 1753114 /lib64/librt-2.5.so
348d800000-348d815000 r-xp 00000000 08:01 1753121 /lib64/libnsl-2.5.so
348d815000-348da14000 ---p 00015000 08:01 1753121 /lib64/libnsl-2.5.so
348da14000-348da15000 r--p 00014000 08:01 1753121 /lib64/libnsl-2.5.so
348da15000-348da16000 rw-p 00015000 08:01 1753121 /lib64/libnsl-2.5.so
348da16000-348da18000 rw-p 348da16000 00:00 0
2aaaaaab3000-2aaaaaac0000 r-xp 00000000 08:01 1753125 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.EL61f4 (deleted)
2aaaaaac0000-2aaaaacc0000 ---p 0000d000 08:01 1753125 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.EL61f4 (deleted)
2aaaaacc0000-2aaaaacc1000 rw-p 0000d000 08:01 1753125 /lib64/libgcc_s-4.1.2-20080825.so.1.#prelink#.EL61f4 (deleted)
2aaaaacc7000-2aaaaacd1000 r-xp 00000000 08:01 1753325 /lib64/libnss_files-2.5.so
2aaaaacd1000-2aaaaaed0000 ---p 0000a000 08:01 1753325 /lib64/libnss_files-2.5.so
2aaaaaed0000-2aaaaaed1000 r--p 00009000 08:01 1753325 /lib64/libnss_files-2.5.so
2aaaaaed1000-2aaaaaed2000 rw-p 0000a000 08:01 1753325 /lib64/libnss_files-2.5.so
2aaaaaed2000-2aaaabb6d000 rw-p 2aaaaaed2000 00:00 0 2aaaabe7d000-2aaaac083000 rw-p 2aaaabe7d000 00:00 0 2aaab0000000-2aaab0023000 rw-p 2aaab0000000 00:00 0 2aaab0023000-2aaab4000000 ---p 2aaab0023000 00:00 0 2ad52916d000-2ad52916e000 rw-p 2ad52916d000 00:00 0 2ad529174000-2ad529178000 rw-p 2ad529174000 00:00 0
7fff81928000-7fff8193d000 rw-p 7fff81928000 00:00 0 [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]

while /usr/sbin/mysqld and /usr/sbin/mysqld_safe are already in pig.ignore?
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
under "check server security"
one of the advises was:
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject +received_recipients
to /etc/exim.conf

so i did, and then i stopped almost all mail
so i removed it again, and it worked fine again :)
Why would that happen? Did you check your logs after adding that log_selector? Adding loglines shouldn't affect mail delivery at all.

Jeff
 

tuumke

Verified User
Joined
Jul 21, 2009
Messages
5
Why would that happen? Did you check your logs after adding that log_selector? Adding loglines shouldn't affect mail delivery at all.

Jeff
no jeff i didnt, and frankly, it's fine this way for now :)
what about the suspicious process?
i get like 40 mails a day about those
for

/usr/sbin/hald\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted)
and
/usr/sbin/mysqld\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00 (deleted)
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
The hald daemon is used by your OS. You probably just need to have an exception for it so it won't get reported.

For mysql possibly the same, though I'd think it would get excepted by default.

Hopefully others who use CSF will reply, as I have little experience with it and I've never seen that. However on my systems it's called haldaemon not hald. (Though the configuration file is called hald.conf.)O

Jeff
 
Top