Control Web Panel
WebPanel => CentOS 7 Problems => Topic started by: apsuva on September 21, 2017, 10:08:27 AM
-
I get an e-mail every 10 minutes from the server. what's the problem?
cwp restart and server reboot doesnt work..
lfd on xxxxxx: Excessive resource usage: cwpsvc (8078 (Parent PID:780))
Account: cwpsvc
Resource: Process Time
Exceeded: 3647 > 3600 (seconds)
Executable: /usr/local/cwp/php71/sbin/php-fpm
Command Line: php-fpm: pool cwpsvc
PID: 8078 (Parent PID:780)
Killed: No
(https://vgy.me/n7bwHt.png)
strace -p 15097 -s 80 -o debug.txt output :
accept(0, {sa_family=AF_LOCAL, NULL}, [2]) = 3
poll([{fd=3, events=POLLIN}], 1, 5000) = 1 ([{fd=3, revents=POLLIN}])
times({tms_utime=4129, tms_stime=229, tms_cutime=0, tms_cstime=0}) = 429814412
read(3, "\1\1\0\1\0\10\0\0", 8) = 8
read(3, "\0\1\0\0\0\0\0\0", 8) = 8
read(3, "\1\4\0\1\2\275\3\0", 8) = 8
read(3, "\17,SCRIPT_FILENAME/usr/local/cwpsrv/var/services/pma/index.php\v\16SCRIPT_NAME/pma/i"..., 704) = 704
read(3, "\1\4\0\1\0\0\0\0", 8) = 8
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={60, 0}}, NULL) = 0
rt_sigaction(SIGPROF, {0x7c0f00, [PROF], SA_RESTORER|SA_RESTART, 0x7f510d45d250}, {0x7c0f00, [PROF], SA_RESTORER|SA_RESTART, 0x7f510d45d250}, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0
open("/usr/local/cwpsrv/var/services/pma/index.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=20807, ...}) = 0
mmap(NULL, 20807, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbac000
getcwd("/usr/local/cwpsrv/var/services/pma", 4095) = 35
chdir("/usr/local/cwpsrv/var/services/pma") = 0
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={90, 0}}, NULL) = 0
munmap(0x7f510fbac000, 20807) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/common.inc.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=35171, ...}) = 0
mmap(NULL, 35171, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fba9000
munmap(0x7f510fba9000, 35171) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/vendor_config.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2330, ...}) = 0
mmap(NULL, 2330, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 2330) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/gettext.inc", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=17451, ...}) = 0
mmap(NULL, 17451, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbad000
munmap(0x7f510fbad000, 17451) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./streams.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/streams.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./streams.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/streams.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/streams.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=3797, ...}) = 0
mmap(NULL, 3797, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 3797) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./gettext.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/gettext.php", 0x7ffc71ea3a70) = -1 ENOENT (No such file or directory)
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
lstat("/usr/local/cwpsrv/var/services/pma/./gettext.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
lstat("/usr/local/cwp/php71/lib/php/gettext.php", 0x7ffc71ea3890) = -1 ENOENT (No such file or directory)
open("/usr/local/cwpsrv/var/services/pma/libraries/php-gettext/gettext.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=12648, ...}) = 0
mmap(NULL, 12648, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbae000
munmap(0x7f510fbae000, 12648) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/autoloader.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=450, ...}) = 0
mmap(NULL, 450, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 450) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/Psr4Autoloader.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=4966, ...}) = 0
mmap(NULL, 4966, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbb0000
munmap(0x7f510fbb0000, 4966) = 0
close(4) = 0
access("./libraries/ErrorHandler.php", F_OK) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/ErrorHandler.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=16875, ...}) = 0
mmap(NULL, 16875, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbad000
munmap(0x7f510fbad000, 16875) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/core.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=30656, ...}) = 0
mmap(NULL, 30656, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fbaa000
munmap(0x7f510fbaa000, 30656) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/string.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=800, ...}) = 0
mmap(NULL, 800, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 800) = 0
close(4) = 0
getcwd("/usr/local/cwpsrv/var/services/pma", 4096) = 35
open("/usr/local/cwpsrv/var/services/pma/libraries/stringMb.lib.php", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1906, ...}) = 0
mmap(NULL, 1906, PROT_READ, MAP_SHARED, 4, 0) = 0x7f510fc25000
munmap(0x7f510fc25000, 1906) = 0
...........................
-
that is all ok, add it to csf process ignore list
/etc/csf/csf.pignore
as
exe:/usr/local/cwp/php71/sbin/php-fpm
-
Are you sure it's normal? We have install cwp 1 years ago. First time getting this errors.
We have another cwp server. Its not showing errors like that.
Please explain what cwpsvc is doing? top -u cwpsvc command always showing 2 process. 1 hour later its ending and starting again. another server showing nothing.
-
yes 100%
cwpsvc is a process that is used for cwp services like for example roundcube and phpmyadmin, if you have high activity there then you should check if maybe you have some brute force attack there.
you can check cwp logs for that
http://wiki.centos-webpanel.com/service-log-paths
-
You are right. I found him. Thank you for help!
Sep 21 15:50:08 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=52048 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:11 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=36 TOS=0x00 PREC=0x00 TTL=251 ID=32335 PROTO=UDP SPT=3000 DPT=123 LEN=16
Sep 21 15:50:14 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=19685 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:15 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=118 TOS=0x00 PREC=0x00 TTL=251 ID=52453 PROTO=UDP SPT=3000 DPT=1900 LEN=98
Sep 21 15:50:17 ext kernel: Firewall: *UDP_IN Blocked* IN=enp4s0 OUT= MAC=38:d5:47:c7:db:0f:2c:21:31:28:a2:c9:08:00 SRC=218.11.2.168 DST=xx.xx.xx.xx LEN=29 TOS=0x00 PREC=0x00 TTL=251 ID=58445 PROTO=UDP SPT=3000 DPT=1434 LEN=9
-
note that this is UDP traffic coming to custom ports and that isn't something that would be show cwpsvc as a process since cwpsvc is using cwp ports and TCP traffic
-
I found another attacker. Its brute force. I need to change the phpmyadmin directory. cwpsvc normal now.
79.137.32.215 - - [21/Sep/2017:16:08:53 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hna1950&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345
79.137.32.215 - - [21/Sep/2017:16:08:54 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hued&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 342
79.137.32.215 - - [21/Sep/2017:16:08:54 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hnyc&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 342
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 340
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hijinks&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho-chi&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 344
79.137.32.215 - - [21/Sep/2017:16:08:55 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=hueron&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 344
79.137.32.215 - - [21/Sep/2017:16:08:56 +0300] "GET /phpmyadmin/index.php?pma_username=root&pma_password=ho-ming&server=1&lang=de-utf-8&convcharset=iso-8859-1 HTTP/1.1" 301 345
-
great, you can simply block that ip with csf, example:
csf -d <IP> "pma brute force attack"