Hi,
I hope someone can help with a little issue. I have ConfigServer Security & Firewall installed and it is set up to alert me via email of suspicious processes and excessive resource usage. The problem is that at regular intervals throughout the day I’m getting warnings about Clam and Dovecot/Dovenull. I think I can disable warnings for certain processes but I’d like to check there’s nothing wrong first.
Full details follow but I guess my first question is: is it normal for these processes to be running for so long?
Msg 1:
Excessive resource usage: clam (23497 (Parent PID:23497))
Account: clam
Resource: Process Time
Exceeded: 2136578 > 1800 (seconds)
Executable: /usr/sbin/clamd
Command Line: clamd
PID: 23497 (Parent PID:23497)
Killed: No
Msg 2:
Suspicious process running under user clam
[code]PID: 23497 (Parent PID:23497)
Account: clam
Uptime: 2136578 seconds
Executable:
/usr/sbin/clamd
Command Line (often faked in exploits):
clamd
Network connections by the process (if any):
tcp: 127.0.0.1:3310 -> 0.0.0.0:0
Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/log/clamav/clamd.log
Memory maps by the process (if any): (omitted - let me know if they’d be useful)[/code]
Msg 3:
Excessive resource usage: dovecot (3795 (Parent PID:13186))
Account: dovecot
Resource: Process Time
Exceeded: 9041 > 1800 (seconds)
Executable: /usr/libexec/dovecot/auth
Command Line: dovecot/auth
PID: 3795 (Parent PID:13186)
Killed: No
Msg 4:
Suspicious process running under user dovenull
[code]Time: Thu Aug 21 12:36:11 2014 +0100
PID: 12651 (Parent PID:13186)
Account: dovenull
Uptime: 264 seconds
Executable:
/usr/libexec/dovecot/pop3-login
Command Line (often faked in exploits):
dovecot/pop3-login
Network connections by the process (if any):
tcp: 0.0.0.0:110 -> 0.0.0.0:0
tcp6: 0.0.0.0:110 -> 0.0.0.0:0
tcp: 0.0.0.0:995 -> 0.0.0.0:0
tcp6: 0.0.0.0:995 -> 0.0.0.0:0
tcp: {my IP}:995 -> {external IP}:52275
Files open by the process (if any):
/dev/null
/dev/null
/var/run/dovecot/login-master-notifyf48e6579ea58f331 (deleted)
[eventpoll]
/dev/urandom
Memory maps by the process (if any): (omitted - let me know if they’d be useful)[/code]
System:
CentOS 6.5,
Webmin and Virtualmin
Any help would be gratefully received.
Thanks,
Martin.