memcached suspicious process running under user

[Mopar1973Man]

I've manually added memcached to my cpanel and now I get a ton of email about...

lfd on server: Suspicious process running under user xxxxxx

I would like to stop these constant every minute emails. Between PHP and memcached sending email it can fill a 250 MB email account in a mere few days.

 

[IndicHosts.net]

I'm guessing this is connected with CSF. Running the following command should do the trick

echo "user:memcached" | cat >> /etc/csf/csf.pignore && csf -r;

 

[httpdocs]

Yes that's right.
This message is sent by "csf".
If you do not want to see this message, specify an unnecessary email address.
Otherwise, the messages can guide you to better manage the server.

 

[Mopar1973Man]

Snippet: This is the most common... PHP-FPM (Mopar1973Man) and the Memcached (Nobody)

Executable:

/opt/cpanel/ea-php72/root/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool mopar1973man_com                       


Network connections by the process (if any):

tcp: 127.0.0.1:47854 -> 127.0.0.1:11211


Files open by the process (if any):

/dev/urandom

Here is the other email I get but not as common.

Executable:

/usr/bin/memcached


Command Line (often faked in exploits):

memcached -d -p 11211 -u nobody -m 256 -c 1024 -P /var/run/memcached/memcached.pid


Network connections by the process (if any):

tcp: 0.0.0.0:11211 -> 0.0.0.0:0
tcp6: 0.0.0.0:11211 -> 0.0.0.0:0
udp: 0.0.0.0:11211 -> 0.0.0.0:0
udp6: 0.0.0.0:11211 -> 0.0.0.0:0
tcp: 127.0.0.1:11211 -> 127.0.0.1:38752
tcp: 127.0.0.1:11211 -> 127.0.0.1:38714
tcp: 127.0.0.1:11211 -> 127.0.0.1:38824
tcp: 127.0.0.1:11211 -> 127.0.0.1:38882


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
[eventpoll]
[eventpoll]
[eventpoll]
[eventpoll]
[eventpoll]

 

[cPanelMichael]

Hello,

Additional discussion of this topic is available on the following thread:

lfd Excessive Resource Usage Warnings

Thank you.

 

[Mopar1973Man]

Again... Someone just chucks out a link like it has the solution but it like going down the rabbit hole without a guide.

So do I follow this link...
PHP-FPM Pool using lot of CPU

Or this link...
Memory usage apparently higher than expected

Or this link...
Email Alerts from CSF

As for the last link I've attempted this but I'm not sure how to do the syntax correctly. Because it still spitting the mails out 500 a day at me.

So it would really help if some shows me the answer to this problem and not posting old links to older post this go in more directions making this confusing.

exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm

 

[rpvw]

Again... Someone just chucks out a link like it has the solution but it like going down the rabbit hole without a guide.

Sorry if this is not going to be the magic bullet answer you want, but installing modules and daemons on a server has consequences.

If you have a server with the CSF/lfd installed, and then install memcached or PHP-FPM (or vice versa) you shouldn't be surprised if the consequence is that CSF/lfd starts sending you emails about a process it knows nothing about. It is up to you to either tell CSF/lfd that the process is OK and to ignore it, or for you to decide that the process is not authorised and to expunge it.

Similarly, if you decide to use CSF/lfd and as a consequence you start getting excessive resource usage warnings, it is up to you to decide if the warnings are justified, and either configure CSF/lfd to report based on your particular hardware configuration, or to investigate the warnings and configure the systems that are provoking them to use less resources.

In every event, it is better to research and understand what the consequences of any configuration, action, addition or removal of software on a server might be before crashing in and doing it. Every server administrator on this forum was a beginner once upon a time, and the honest ones will admit to learning something new every day. You can easily avoid making mistakes by reading about the experiences and mistakes that other people made, and not repeating them yourself.

Attributed as a variant of the original by George Santayana

Those who fail to learn from the mistakes of their predecessors are destined to repeat them.

 

[Mopar1973Man]

If you have a server with the CSF/lfd installed, and then install memcached or PHP-FPM (or vice versa) you shouldn't be surprised if the consequence is that CSF/lfd starts sending you emails about a process it knows nothing about. It is up to you to either tell CSF/lfd that the process is OK and to ignore it, or for you to decide that the process is not authorised and to expunge it.

That is fine but since I'm a greenhorn to the whole cPanel thing I need more than a link to another post that splits in to many directions. So I would like to know how to properly tell CSF that memcache and PHP-FPM are authorized programs so the emails stop flowing since now my website software requires them.

Similarly, if you decide to use CSF/lfd and as a consequence you start getting excessive resource usage warnings, it is up to you to decide if the warnings are justified, and either configure CSF/lfd to report based on your particular hardware configuration, or to investigate the warnings and configure the systems that are provoking them to use less resources.

Not so much as a resource problem just I've added software (memcached) CSF doesn't recognize. As for the PHP-FPM was part of the package so the only reason I see PHP-FPM giving the warning because of its using memcached as well.

So now back to getting back to an answer how does a person get CSF (csf.pignore) syntax right so these two programs run without constant warnings?

 

[rpvw]

So now back to getting back to an answer how does a person get CSF (csf.pignore) syntax right so these two programs run without constant warnings?

First thing to do is to read the instructions at the top of the /etc/csf/csf.pignore file (you can access this from the cPanel CSF interface by selecting it from the Blocking drop-down and clicking on edit)

So, given that your email has already given you the path

/usr/bin/memcached

you would follow the pignore files instructions

# You must use the following format:
#
# exe:/full/path/to/file
# user:username
# cmd:command line
#

and add

exe:/usr/bin/memcached

(dont forget to click on the change button after you finish editing and then restart CSF)

For the PHP-FPM you may need to adjust the configuration parameters in the CSF configuration Process Tracking section, or just add it to the pignore file (which wont then alert you to any run-away PHP process)

More information is contained in the csf+lfd readme.txt file (Click on the Firewall Information button in the cPanel CSF interface and settle down for a good read.)

Since this isn't really a cPanel issue (third party provided plugin) you may get additional help from ConfigServer Community Forum - ConfigServer Security & Firewall

Hope this helps.

 

[Mopar1973Man]

For the PHP-FPM you may need to adjust the configuration parameters in the CSF configuration Process Tracking section, or just add it to the pignore file (which wont then alert you to any run-away PHP process)

Explain what I've got to configure and where. Ive never done this before so I've got no idea what I'm supposed to change. There is a bunch of setting and most have warnings of don't use unless you know what you are doing. So what do I need to adjust for the PHP-PFM???

 

[Infopro]

So now back to getting back to an answer how does a person get CSF (csf.pignore) syntax right so these two programs run without constant warnings?

You know how to get to csf.pignore, correct?

 

[rpvw]

Ive never done this before so I've got no idea what I'm supposed to change. There is a bunch of setting and most have warnings of don't use unless you know what you are doing. So what do I need to adjust for the PHP-PFM???

The settings will depend on your hardware, resource allocation, server load etc etc so no one can guess at what they might need to be.

It rather looks like you need to contract the services of an experienced cPanel/linux server administrator, and you can find a list of them at System Administration Services | cPanel Forums

 

[Mopar1973Man]

You know how to get to csf.pignore, correct?

Yeah rpvw showed me an easy way to get there I didn't even know.

It rather looks like you need to contract the services of an experienced cPanel/linux server administrator, and you can find a list of them at System Administration Services | cPanel Forums

Sorry, my pockets are not that deep! I can't afford to pay for Administration Services. That why I'm here to figure this stuff out on my own and also learn how to do it myself.

 

[rpvw]

OK - since I seem to be spending more time with this support than I am with my own customers ! - the easiest way is to just have CSF/lfd ignore the PMP-FPM processes, although you must acknowledge that any process excluded from being tracked; has an implication as far as security is concerned.

You will have seen from your email example that the executable was reported as

/opt/cpanel/ea-php72/root/usr/sbin/php-fpm

Now you can add this into the pignore file in the familiar format

exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm

...... but that line would only ignore FPM processes from PHP 7.2 (ea-php72)

Obviously, you could use several lines to add all the php versions eg

exe:/opt/cpanel/ea-php56/root/usr/sbin/php-fpm
exe:/opt/cpanel/ea-php70/root/usr/sbin/php-fpm
exe:/opt/cpanel/ea-php71/root/usr/sbin/php-fpm
exe:/opt/cpanel/ea-php72/root/usr/sbin/php-fpm
etc

...... but some of us grey-beards consider this to be inelegant and wasteful code.

Fortunately, CSF/lfd has included the opportunity to use perl regular expression matching (regex) so you can write ONE line to exclude ALL the PHP-FPM processes (irrespective of what PHP versions used) could be

pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm

All of this is clearly documented in the top of the pignore file itself.

Note: I have NOT tested that particular regex (since I don't use use FPM myself) so use with caution.

I hope this helps.

 

[Mopar1973Man]

Here we go down the rabbit hole again.

Q: Why abandon the adjustments of the PHP? I thought this way the better way of setting up the server?

I realize that pignore the PHP could be a bad idea because of there is a hack, etc. You'll never know.

since I don't use FPM myself

Q: May I ask what is your reason and what are you using instead? I'm asking maybe my setup isn't optimal I'm willing to listen and learn to try and do something better.

 

[rpvw]

Q: Why abandon the adjustments of the PHP? I thought this way the better way of setting up the server?

I have never ever talked about adjusting the PHP configuration here, I am only addressing the levels at which the CSF/lfd plugin alerts you as to perceived excess use, and unless you have a full understanding of how the Apache/PHP/MySQL process impacts on your hardware and resource configuration, you will be experimenting in the CSF configuration until you learn and understand the interrelationships.

Q: May I ask what is your reason and what are you using instead? I'm asking maybe my setup isn't optimal I'm willing to listen and learn to try and do something better.

I use Cloudlinux/CageFS/Alt-PHP with lsapi as the handler. (Cloudlinux is commercial, it is not free)