Detected 175 processes that are running outdated executables

[satsamira]

Hello ,

I see the following alarms in the "Security Advisor" section my cPanel:
Detected 175 processes that are running outdated executables: 283269 284074 284071 283148 283017 283498 283998 282 .................

I run the following and give the following results:
# /usr/bin/needs-restarting
283269 : lfd - stopping
284074 : lfd - stopping
284071 : lfd - stopping
283148 : lfd - stopping
283017 : lfd - stopping
283498 : lfd - stopping
283998 : lfd - stopping
282982 : lfd - stopping
283490 : lfd - stopping
65885 : child - aborting
283300 : lfd - stopping
283495 : lfd - stopping

I also run the following to resolve the issue:
#service lvestats restart
but the problem is not resolved and there is still alert in the "security advisor" section.
Please advise you to solve the problem.
Thanks.

 

[cPanelLauren]

Hello,

Based on what you're showing the services weren't actually restarted - needs-restarting just gives you a list of processes that need to be restarted. In this case it looks like CSF/LFD need to be restarted. You'll also need to identify what process PID 65885 is a child of. You can use lsof to do this:

lsof -p 65885

Pending the process still exists

Can you provide the full output of the needs-restarting command after you restart LFD?

 

[satsamira]

Hello,

Based on what you're showing the services weren't actually restarted - needs-restarting just gives you a list of processes that need to be restarted. In this case it looks like CSF/LFD need to be restarted. You'll also need to identify what process PID 65885 is a child of. You can use lsof to do this:

lsof -p 65885

Pending the process still exists

Can you provide the full output of the needs-restarting command after you restart LFD?

I restarted lfd and this is the complete output:

# /usr/bin/needs-restarting
283269 : lfd - stopping
284074 : lfd - stopping
284071 : lfd - stopping
283148 : lfd - stopping
283017 : lfd - stopping
283498 : lfd - stopping
283998 : lfd - stopping
282982 : lfd - stopping
283490 : lfd - stopping
65885 : child - aborting
283300 : lfd - stopping
283495 : lfd - stopping
283384 : lfd - stopping
283918 : lfd - stopping
280877 : lfd - stopping
283782 : lfd - stopping
283466 : lfd - stopping
284176 : lfd - stopping
284177 : lfd - stopping
283457 : lfd - stopping
283788 : lfd - stopping
283540 : lfd - stopping
284125 : lfd - stopping
284263 : lfd - stopping
284115 : lfd - stopping
283089 : lfd - stopping
284110 : lfd - stopping
283150 : lfd - stopping
283525 : lfd - stopping
283082 : lfd - stopping
283489 : lfd - stopping
283844 : lfd - stopping
284280 : lfd - stopping
283317 : lfd - stopping
283316 : lfd - stopping
283485 : lfd - stopping
284289 : lfd - stopping
283852 : lfd - stopping
284680 : lfd - stopping
284007 : lfd - stopping
283850 : lfd - stopping
284162 : lfd - stopping
284279 : lfd - stopping
284160 : lfd - stopping
283962 : lfd - stopping
283963 : lfd - stopping
283799 : lfd - stopping
282971 : lfd - stopping
284275 : lfd - stopping
284274 : lfd - stopping
284105 : lfd - stopping
283538 : lfd - stopping
283124 : lfd - stopping
283243 : lfd - stopping
284217 : lfd - stopping
664551 : child - aborting
284108 : lfd - stopping
283060 : lfd - stopping
283878 : lfd - stopping
284293 : lfd - stopping
283875 : lfd - stopping
381797 : child - aborting
284147 : lfd - stopping
283275 : lfd - stopping
283974 : lfd - stopping
284278 : lfd - stopping
284316 : lfd - stopping
284035 : lfd - stopping
282962 : lfd - stopping
284232 : lfd - stopping
284131 : lfd - stopping
284220 : lfd - stopping
284223 : lfd - stopping
282972 : lfd - stopping
283862 : lfd - stopping
283861 : lfd - stopping
283749 : lfd - stopping
282957 : lfd - stopping
284189 : lfd - stopping
282953 : lfd - stopping
282958 : lfd - stopping
283941 : lfd - stopping
284055 : lfd - stopping
283438 : lfd - stopping
283945 : lfd - stopping
284051 : lfd - stopping
283179 : lfd - stopping
284187 : lfd - stopping
732096 : child - aborting
284059 : lfd - stopping
283105 : lfd - stopping
283454 : lfd - stopping
436668 : child - aborting
284123 : lfd - stopping
284122 : lfd - stopping
283102 : lfd - stopping
284120 : lfd - stopping
283754 : lfd - stopping
283756 : lfd - stopping
283182 : lfd - stopping
283053 : lfd - stopping
283234 : lfd - stopping
284100 : lfd - stopping
283818 : lfd - stopping
283816 : lfd - stopping
283811 : lfd - stopping
283535 : lfd - stopping
1038205 : child - aborting
283892 : lfd - stopping
283959 : lfd - stopping
283954 : lfd - stopping
284312 : lfd - stopping
284084 : lfd - stopping
283448 : lfd - stopping
283785 : lfd - stopping
283440 : lfd - stopping
283115 : lfd - stopping
283764 : lfd - stopping
283209 : lfd - stopping
283766 : lfd - stopping
283769 : lfd - stopping
283805 : lfd - stopping
283802 : lfd - stopping
283886 : lfd - stopping
283513 : lfd - stopping
283880 : lfd - stopping
283883 : lfd - stopping
284230 : lfd - stopping
284038 : lfd - stopping
284093 : lfd - stopping
284096 : lfd - stopping
284095 : lfd - stopping
284094 : lfd - stopping
284141 : lfd - stopping
284099 : lfd - stopping
284098 : lfd - stopping
283078 : lfd - stopping
283476 : lfd - stopping
283772 : lfd - stopping
284286 : lfd - stopping
283838 : lfd - stopping
284703 : lfd - stopping
284056 : lfd - stopping
283833 : lfd - stopping
284242 : lfd - stopping
284246 : lfd - stopping
284247 : lfd - stopping
283930 : lfd - stopping
283932 : lfd - stopping
290201 : child - aborting
283270 : lfd - stopping
283378 : lfd - stopping
283064 : lfd - stopping
283373 : lfd - stopping
283377 : lfd - stopping
283825 : lfd - stopping
283823 : lfd - stopping
283822 : lfd - stopping
283820 : lfd - stopping
283985 : lfd - stopping
283986 : lfd - stopping
283521 : lfd - stopping
283829 : lfd - stopping
283904 : lfd - stopping
282999 : lfd - stopping
283906 : lfd - stopping
283907 : lfd - stopping
283901 : lfd - stopping
283902 : lfd - stopping
284251 : lfd - stopping
284252 : lfd - stopping
284069 : lfd - stopping
284256 : lfd - stopping
286341 : lfd - stopping
283765 : lfd - stopping

I also got the output from the following command:
# lsof -p 65885

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
child   65885 root  cwd    DIR  253,0     4096  787839 /etc/csf
child   65885 root  rtd    DIR  253,0     4096       2 /
child   65885 root  txt    REG  253,0     9993 2626443  (deleted)/usr/local/cpanel/3rdparty/perl/524/bin/perl
child   65885 root  mem    REG  253,0    49965 2626755 /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/List/Util/Util.so
child   65885 root  mem    REG  253,0          2626401 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/File/Glob/Glob.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0          2626393 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/Encode/Encode.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0    17959  266792 /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Cwd/Cwd.so
child   65885 root  mem    REG  253,0    14681  266708 /usr/local/cpanel/3rdparty/perl/524/lib64/perl5/cpanel_lib/x86_64-linux-64int/auto/Sys/Mmap/Mmap.so
child   65885 root  mem    REG  253,0          2626420 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/Socket/Socket.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0          2626414 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/POSIX/POSIX.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0          2626407 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/IO/IO.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0          2626399 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/auto/Fcntl/Fcntl.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0 99170352 1335951 /usr/lib/locale/locale-archive
child   65885 root  mem    REG  253,0    10312 1966085 /lib64/libfreebl3.so
child   65885 root  mem    REG  253,0  1924768 1966092 /lib64/libc-2.12.so
child   65885 root  mem    REG  253,0    15056 1966124 /lib64/libutil-2.12.so
child   65885 root  mem    REG  253,0    40872 1966096 /lib64/libcrypt-2.12.so
child   65885 root  mem    REG  253,0   596864 1974673 /lib64/libm-2.12.so
child   65885 root  mem    REG  253,0    20024 1974672 /lib64/libdl-2.12.so
child   65885 root  mem    REG  253,0   113904 1974674 /lib64/libnsl-2.12.so
child   65885 root  mem    REG  253,0   143280 1966116 /lib64/libpthread-2.12.so
child   65885 root  mem    REG  253,0          2626233 (deleted)/usr/local/cpanel/3rdparty/perl/524/lib64/perl5/5.24.1/x86_64-linux-64int/CORE/libperl.so (stat: No such file or directory)
child   65885 root  mem    REG  253,0    26104 1313577 /usr/lib64/libgdbm.so.2.0.0
child   65885 root  mem    REG  253,0   159312 1989012 /lib64/ld-2.12.so
child   65885 root    0r   CHR    1,3      0t0    4101 /dev/null
child   65885 root    1w   CHR    1,3      0t0    4101 /dev/null
child   65885 root    2w   CHR    1,3      0t0    4101 /dev/null
child   65885 root    3u   REG  253,0        7 1188528 /var/run/lfd.pid
child   65885 root    4w   REG  253,0    83512 1185335  (deleted)/var/log/lfd.log-20180218
child   65885 root    5r   REG  253,0    17148 1457294 /usr/local/csf/lib/Geo/IP/Record.pm

 

[cPanelLauren]

Hello,


If that output of needs-restarting was done after CSF/LFD was restarted it looks like there may be an issue with the system recognizing that the service was restarted.

If you completely stop CSF/LFD (killing any potentially remnant processes) and restart it do you still see the notification? Does it persist through a reboot?

If both of these are the case please open a ticket using the link in my signature so that we can take a closer look.


Thank you,