lfd on servername: Suspicious process running under user

A

AhmetBas

Verified User
Joined
Oct 28, 2020
Messages
48
Hello,

I'm running CentOS 8 with Directadmin with CSF/LFD. For some reason I keep receiving those emails:

lfd on servername: Suspicious process running under user

Time: Fri Nov 13 10:07:33 2020 +0100
PID: 67268 (Parent PID:67248)
Account: accountname
Uptime: 23908 seconds

Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child
Click to expand...

The following rules are already in the /etc/csf/csf.pignore configuration:

cmd:spamd child
exe:/usr/bin/rspamd
exe:/usr/bin/spamd
Click to expand...

The same configuration is working on CentOS 7 but not on CentOS 8 what am I missing? Adding perl to the pignore did not help.
 
Your missing perl. It should really help. Use this

Code: 
exe:/usr/bin/spamc
exe:/usr/bin/spamd
exe:/usr/bin/perl
cmd:spamd child
after that, don't forget to restart both csf and lfd.

Code: 
csf -r
service lfd restart
Normally this should be enough, but it might also be necessary to restart spamd
 
scriptkitty said:
Personally, I wouldn't ignore perl processes. You should be able to just add "cmd:spamd child" and that be enough.
Click to expand...
I'm also not a fan of adding the Perl into the csf.pignore file on centos 8.


Richard G said:
He already has the "cmd: spamd child" present in csfp.pignore.
Click to expand...
The problems seems to be resolving by adding Perl to the csf.pignore file but the strange part the same configuration is working on CentOS 7. Why do we have to ignore the Perl processes on CentOS 8 any clue?
 
I don't have a clue, I've also got these messages on Centos 6 which is the reason I disable them by default nowadays.
So I'm testing now because I became curious about this. Removed them from the Centos 7 servers, no mail until now.
Just now I removed the line from the Centos 8 server, so lets see if I get mails now. However, from that particulier server almost no mail is send so I don't know.

Maybe one of the others here can explain what might cause the perl mails in Centos 8.
 
Richard G said:
I don't have a clue, I've also got these messages on Centos 6 which is the reason I disable them by default nowadays.
So I'm testing now because I became curious about this. Removed them from the Centos 7 servers, no mail until now.
Just now I removed the line from the Centos 8 server, so lets see if I get mails now. However, from that particulier server almost no mail is send so I don't know.

Maybe one of the others here can explain what might cause the perl mails in Centos 8.
Click to expand...

Ok, no experience with CentOS 6. I have to add the Perl processes to the pignore to get rid of them.
 
I just had a test result. On my Centos 7 servers I now removed perl from the csf.pignore and nothing happened.
Yesterday I removed it also from the Centos 8 server and today I got 2 messages about perl spamd. One about excessive resource usage and one about suspicious process. Both pointing to spamd child.

Odd... maybe I can ask over at the Configserver forum as to why this happens on Centos 8.
 
You must log in or register to reply here.
Back
Top