LFD ignore 'spamd child'

[Mattie]

I could also ask this on the csf/lfd forum but I can only assume that a lot of you guys also run csf/lfd.

I am getting a lof of emails stating "lfd on vps.xx-xx.nl: Suspicious process running under user admin" and then:

Time: Mon Apr 26 18:51:26 2021 +0200
PID: 4081 (Parent PID:4079)
Account: admin
Uptime: 44775 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child

And yeah I don't really want these emails so I have added the following to `/etc/csf/csf.pignore` but I still keep getting emails.

exe:/usr/bin/spamd
cmd:spamd child
pcmd:spamd child
cmd:spamd
pdms:spamd
pcmd:/usr/bin/perl.spamd.child
exe:/usr/bin/perl spamd child

I don't really want to exclude `perl` I just want to exclude the spamd.

Does anybody know the exact command I can use to exclude it?

Thanks!

 

[scriptkitty]

Add:

user:spamd

to csf.pignore then restart the firewall:

csf -ra

Does this help?

 

[Richard G]

Add:

I don't think so, because it says "account: admin" and "suspicious process running under user admin", so the user is admin.

I got these three and no issues:
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child

You have to both restart csf and lfd.

Try doing this via SSH:
ps -faux | grep spamd
because the message says it's running under user admin, but normally spamd runs under the root user.
So you should see an output like this:

[root@server23: /etc/csf]# ps faux | grep spamd
root     12921  0.0  0.0 110800   904 pts/0    S+   19:20   0:00          \_ grep --color=auto spamd
root     28355  0.0  0.1 329304 92756 ?        Ss   04:00   0:09 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m 15 --ipv4
root     28360  0.0  0.1 339620 102868 ?       S    04:00   0:01  \_ spamd child
root     21146  0.1  0.1 346864 110044 ?       S    15:59   0:13  \_ spamd child

So root not admin.

 

[Mattie]

Thanks for the suggestions, the email indeed states 'admin', if I check it now I only see a couple of processes under the root user. Not sure if the reporting is incorrect or 'admin' only runs it at some times.

Missing from my message: I also have "exe:/usr/bin/spamc" so that should be ok.

After making the changes (through the DA interface) it asks to "restart lfd" however I will now try to manually restart it to see if that does something different.

 

[scriptkitty]

Hello,

Thanks for clarifying the user. I guess I was confusing it with _rspamd being the user for Rspamd services. Let us know if the alerts cease after you have added "exe:/usr/bin/spamc", please!

 

[Richard G]

if I check it now I only see a couple of processes under the root user. Not sure if the reporting is incorrect or 'admin' only runs it at some times.

Would be good to know if we could find it out. Hopefully the DA auto install does not run it by accident as the admin user some times.

 

[Mattie]

Well I think it DOES run as other users:

Time: Wed Apr 28 19:11:49 2021 +0200
PID: 5808 (Parent PID:5807)
Account: <user not root or admin>
Uptime: 45998 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:57178


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/share/perl5/Net/DNS/Resolver/Base.pm

So yeah it runs on other users but also I still is not excluded
I now have this in my pignore

exe:/usr/bin/freshclam
exe:/usr/sbin/clamd
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
pcmd:spamd child
cmd:spamd
pcmd:spamd
pcmd:/usr/bin/perl.spamd.child
exe:/usr/bin/perl spamd child

I did not really find a way to trigger this. Perhaps when someone syncs a large amount of email or something like that?

 

[scriptkitty]

Hi!
I swapped over to spamassassin from rspamd, confirmed the process to be running, added your rules to /etc/csf/csf.pignore, then restarted the firewall, and have yet to receive any alerts. Do you have any other servers that may be sending the alert? Perhaps from a migration and the old server had the same hostname, etc? I'll continue to monitor for alerts, but I do believe the correct rule would be this one:

cmd:spamd child

Thanks!

 

[Richard G]

Try removing and reinstalling it. As far as I know it should never run as other users. Something seems wrong there imho.

You said you've seen some root processes, but did you also see this line in the ps faux command:

root     28355  0.0  0.1 329304 92756 ?        Ss   04:00   0:09 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m 15 --ipv4

It might be without the --ipv4 at the end, that's because we only use ipv4 so I configured it that way. But it should point to spamd.pid with -d -c -m 15 by default.

 

[Mattie]

Yeah I do have the 'spamd child' but it does not seem to work here. I did move to a new server some time ago but on my old server I never got emails. Perhaps in a far far past I excluded entire perl or something not really sure....

And this is everything that is running currently:

root@vps:~# ps auxf | grep spam
root 19345 0.0 0.0 6076 832 pts/0 S+ 15:56 0:00 \_ grep spam
root 13232 0.0 2.2 113708 89632 ? Ss 06:25 0:06 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m 15 --ipv4
root 13233 0.0 2.7 130924 109392 ? S 06:25 0:15 \_ spamd child
root 13234 0.0 2.1 113708 84940 ? S 06:25 0:00 \_ spamd child

I can add a cron that will log this every minute and then see if it runs as an other user at some point in time, might be fun

 

[Richard G]

I don't have excluded perl either on any server.
Output looks very good.

Did you install Spamassassin on this server via cpan or via custombuild? And you're on Centos 7 or 8 or...?
I'm a bit out of idea's what can be causing this. It shouldn't happen.

Yeah that cron would be fun.

 

[Mattie]

I am on Debian 10.9 and installed trough 'csf_install.sh' I think it was an option during the DA install to also add CSF? Not 100% sure if I remember correctly. I could reinstall it ofcource.

Anyway some output already (grep for 'spam'):

root 13234 0.0 2.0 113708 84452 ? S 06:25 0:00 \_ spamd child
root 20452 0.0 0.0 6644 3048 ? Ss 16:07 0:00 \_ /bin/sh -c ps auxf | grep spam >> /root/spamlog
root 20455 0.0 0.0 6076 892 ? S 16:07 0:00 \_ grep spam
root 13232 0.0 2.2 113708 89144 ? Ss 06:25 0:06 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m 15 --ipv4
admin 13233 0.0 2.7 130924 109448 ? R 06:25 0:16 \_ spamd child

mail 20446 0.0 0.1 15748 6096 ? S 16:07 0:00 \_ /usr/sbin/exim -oMr spam-scanned -bS
mail 20448 0.0 0.0 5532 844 ? S 16:07 0:00 \_ /usr/bin/spamc -u admin
root 20533 0.0 0.0 5600 972 pts/0 S+ 16:07 0:00 \_ less spamlog
root 20541 0.0 0.0 6644 3012 ? Ss 16:08 0:00 \_ /bin/sh -c ps auxf | grep spam >> /root/spamlog
root 20544 0.0 0.0 6076 824 ? S 16:08 0:00 \_ grep spam
root 13232 0.0 2.2 113708 89144 ? Ss 06:25 0:06 /usr/bin/perl -T -w /usr/bin/spamd --pidfile /var/run/spamd.pid -d -c -m 15 --ipv4
root 13233 0.0 2.7 130924 109448 ? S 06:25 0:16 \_ spamd child

So I do see other users then root. It seems that 'mail' is perhaps spawning a process for admin?

 

[Richard G]

and installed trough 'csf_install.sh'

I ment how did you install Spamassassin.
Normally it's better to install CSF via the ./install_directadmin.sh which is specially build for DA and already does some default settings, like 2222 and some default ignores.

/root/spamlog

??? This is an odd place to have a spamlog. You made this custom?

It seems that 'mail' is perhaps spawning a process for admin?

Yes it looks that way. No clue why it does that. Maybe that is a Debian thing. Maybe a Debian admin can help you further with this.
Could also be a specific Debian <-> DA issue.

 

[Mattie]

I ment how did you install Spamassassin.
Normally it's better to install CSF via the ./install_directadmin.sh which is specially build for DA and already does some default settings, like 2222 and some default ignores.

Yeah it seems the csf_install does exactly that

I think SA is installed trough https://help.directadmin.com/item.php?id=36 (at least my browser history list this as visited)

??? This is an odd place to have a spamlog. You made this custom?

Yes this is my logging cron

Yes it looks that way. No clue why it does that. Maybe that is a Debian thing. Maybe a Debian admin can help you further with this.
Could also be a specific Debian <-> DA issue.

Thanks anyway!

 

[scriptkitty]

Just wanted to note that I have yet to receive any spamd alerts. It is odd that you're receiving alerts despite having ignored the process. To confirm, try restarting the service via ssh:

csf -ra

And make sure thIs server is sending the alerts by checking:

grep lfd /var/log/exim/mainlog | grep -i spam

I did find this:

# lfd will report processes, even if they're listed in csf.pignore, if they're
# tagged as (deleted) by Linux. This information is provided in Linux under
# /proc/PID/exe. A (deleted) process is one that is running a binary that has
# the inode for the file removed from the file system directory. This usually
# happens when the binary has been replaced due to an upgrade for it by the OS
# vendor or another third party (e.g. cPanel). You need to investigate whether
# this is indeed the case to be sure that the original binary has not been
# replaced by a rootkit or is running an exploit.
#
# Note: If a deleted executable process is detected and reported then lfd will
# not report children of the parent (or the parent itself if a child triggered
# the report) if the parent is also a deleted executable process
#
# To stop lfd reporting such process you need to restart the daemon to which it
# belongs and therefore run the process using the replacement binary (presuming
# one exists). This will normally mean running the associated startup script in
# /etc/init.d/
#
# If you do want lfd to report deleted binary processes, set to 1
PT_DELETED = "0"

Your ps auxf output didn't indicate this, though. Just to be sure, you could try killing all spamd processes and restarting them, just in case you have a single hung process running an old binary or something.

 

[Mattie]

Sorry for the late reply, I have killed all processes now and will report back on how it goes! Worth the try!

(I do see logging in the exim mainlog btw)

 

[Mattie]

Still getting these emails, I have just rebooted my entire server to be 100% sure everything is restarted. I will give an update in a couple of days.

 

[Mattie]

Strange: so far so good I did not get any emails.... If I do get them again I will report back here