Bug? Perl mails about spamd in Centos 8

Black Tiger
Junior Member
Posts: 73
Joined: 17 Feb 2009, 14:14
Contact:

Bug? Perl mails about spamd in Centos 8

Post by Black Tiger »

I don't know if this is a CSF bug or something else so I post it here.

In Centos 7, it was enough to put these lines in the csf.pignore file:

Code: Select all

exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
no problems with perl mails about spamd and spamd child anymore.

Since Centos 8 this is change, no clue as to why.
On is about a suspicious process, the other one about excessive resource usage.

This is the one about suspicious process:

Code: Select all

Time:    Tue Nov 17 17:43:13 2020 +0100
PID:     1220390 (Parent PID:1220388)
Account: accountname
Uptime:  52384 seconds

Executable:

/usr/bin/perl

Command Line (often faked in exploits):

spamd child                                                                                                                                                                                                                       

Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:47734
udp: 127.0.0.1:63011 -> 127.0.0.1:53
This is about the excessive resource usage:

Code: Select all

Time:         Tue Nov 17 17:43:13 2020 +0100
Account:      accountname
Resource:     Process Time
Exceeded:     52384 > 1800 (seconds)
Executable:   /usr/bin/perl
Command Line: spamd child                                                                                                                                                                                                                       
PID:          1220390 (Parent PID:1220388)
Killed:       No
So both are about spamd child.

We can stop this by adding the perl executable to csf.pignore but it's better to keep monitoring perl.
This issue is only occuring on Centos 8 servers, not on Centos 7 servers.
Configuration of csf.conf and csf.pignore is exactly the same on all servers.
I'm not the only one experiencing this.

System.
OS Centos 8.2.2004
Directadmin
svendsen
Junior Member
Posts: 4
Joined: 22 Feb 2017, 13:11

Re: Bug? Perl mails about spamd in Centos 8

Post by svendsen »

Hi!
Did you find a solution to this?
we also found this issue on a Centos7 server. The only server with this issue and we share same CSF configuration
Black Tiger
Junior Member
Posts: 73
Joined: 17 Feb 2009, 14:14
Contact:

Re: Bug? Perl mails about spamd in Centos 8

Post by Black Tiger »

Hello.
No. I finally got fed up with this and added perl to the exclusions in the csf.pignore file.
adeyjones
Junior Member
Posts: 12
Joined: 21 Dec 2020, 22:12

Re: Bug? Perl mails about spamd in Centos 8

Post by adeyjones »

Black Tiger wrote: 12 Feb 2021, 16:56 Hello.
No. I finally got fed up with this and added perl to the exclusions in the csf.pignore file.
Hi, just wondering what you added to make this happen?

I get several of these emails a day and have so far added the following in to csf.pignore but nothing is stopping them from coming:

Code: Select all

pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/spamd
pexe:/usr/local/cpanel/3rdparty/perl/.*/bin/perl
pcmd:spamd child
Black Tiger
Junior Member
Posts: 73
Joined: 17 Feb 2009, 14:14
Contact:

Re: Bug? Perl mails about spamd in Centos 8

Post by Black Tiger »

As said I got fed up with it and excluded perl by adding this line:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/524/bin/perl
However in the mean time we don't have version 524 anymore so I disabled that again.

At this moment I'm only using this in csf.pignore:

Code: Select all

exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
adeyjones
Junior Member
Posts: 12
Joined: 21 Dec 2020, 22:12

Re: Bug? Perl mails about spamd in Centos 8

Post by adeyjones »

Black Tiger wrote: 10 May 2021, 16:54 As said I got fed up with it and excluded perl by adding this line:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/524/bin/perl
However in the mean time we don't have version 524 anymore so I disabled that again.

At this moment I'm only using this in csf.pignore:

Code: Select all

exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
Thanks for getting back to me, i'll try that out and see if I get any more in the next 24 hours.
Black Tiger
Junior Member
Posts: 73
Joined: 17 Feb 2009, 14:14
Contact:

Re: Bug? Perl mails about spamd in Centos 8

Post by Black Tiger »

Oke. I hope this will fix it for you. If not, I don't know.
adeyjones
Junior Member
Posts: 12
Joined: 21 Dec 2020, 22:12

Re: Bug? Perl mails about spamd in Centos 8

Post by adeyjones »

Black Tiger wrote: 10 May 2021, 21:57 Oke. I hope this will fix it for you. If not, I don't know.
Unfortunately not, look what's just arrived:

Time: Wed May 12 13:49:27 2021 +0000
Account: 'hidden'
Resource: Process Time
Exceeded: 45559 > 1800 (seconds)
Executable: /usr/local/cpanel/3rdparty/perl/532/bin/perl
Command Line: spamd child
PID: 31262 (Parent PID:30456)
Killed: No

Time: Wed May 12 13:49:27 2021 +0000
PID: 31262 (Parent PID:30456)
Account: 'hidden'
Uptime: 45559 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/532/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 127.0.0.1:55388


Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/logs/spamd_error_log
/usr/local/cpanel/3rdparty/perl/532/bin/spamd
/home/surgeryweb/.spamassassin/bayes_toks
/home/surgeryweb/.spamassassin/bayes_seen
/var/cpanel/locale/en.cdb
/usr/local/cpanel/3rdparty/perl/532/lib/perl5/cpanel_lib/Net/DNS/Resolver/Base.pm
Black Tiger
Junior Member
Posts: 73
Joined: 17 Feb 2009, 14:14
Contact:

Re: Bug? Perl mails about spamd in Centos 8

Post by Black Tiger »

I presume you restarted both csf and lfd afterwards.

If yes, then seems to me the only way is to ignore perl. I don't have the impression this bug will be fixed since it's there soo long already.
n2rga
Junior Member
Posts: 9
Joined: 09 Apr 2014, 03:48

Re: Bug? Perl mails about spamd in Centos 8

Post by n2rga »

I have the same problem waiting on a fix I have Cloudlinux 8. Any luck?
Post Reply