I've been getting an increased number of lfd alerts from my dedicated server for the past 10-15 days.
They are mostly this:
Code:
lfd: Excessive resource usage: Account A (4039)
Time: Mon Jun 8 08:25:24 2009 -0500
Account: Account A
Resource: Process Time
Exceeded: 10821 > 1800 (seconds)
Executable: /usr/bin/perl
Command Line: spamd child
PID: 16580
Killed: Yes
and this:
Code:
lfd: Suspicious process running under user Account A
PID: 5598
Account: Account A
Uptime: 6131 seconds
Executable:
/usr/bin/perl
Command Line (often faked in exploits):
spamd child
Network connections by the process (if any):
tcp: cPanel® -> cPanel®
tcp: cPanel® -> cPanel®
udp: cPanel® -> 63.247.77.198:53
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/usr/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm
but over the past two days a new alert:
Code:
lfd: LOCALRELAY alert for account Account B
Time: Mon Jun 8 09:28:07 2009 -0500
Type: LOCALRELAY, Local Account - Account B
Count: 103 emails relayed
Blocked: No
Sample of the first 10 emails:
2009-06-08 09:28:03 1MDfp.... <snip>
The emails sampled in the LOCALRELAY alert are legitimate.
Account A and B above are real accounts, but renamed for posting here.
Is anyone else getting this increase in alerts or is it just my server and what should I do about it?