Check cPanel Processes: Are They Safe?

TL;DR

You’re worried about processes running in your cPanel account. This guide shows you how to identify what they are, and whether they might be malicious. We’ll focus on using command-line tools within cPanel to get a clear picture.

Identifying cPanel Processes

1. Access Your Server via SSH: You’ll need to connect to your server using an SSH client (like PuTTY on Windows, or Terminal on Mac/Linux). You’ll need your username and password.
2. List Running Processes: Use the top command. This shows a live view of processes sorted by CPU usage.

   top

   Look for processes with high CPU or memory use, as these are more likely to be worth investigating. Note the PID (Process ID) – you’ll need this later.

3. Alternative: ps Command: The ps command gives a snapshot of running processes.

   ps aux | less

   This lists all processes with user, CPU usage, memory usage and the full command used to start them. Use the arrow keys to scroll through the output.

4. Find Process Owner: Knowing who started a process is important.

   ps -ef | grep 

   Replace <PID> with the actual PID you noted earlier. This will show the user account that owns the process.

Common cPanel Processes & What They Mean

• httpd/apache2: These are Apache web server processes – normal if you’re running a website. Multiple instances are expected.
• mysqld: The MySQL database server process – normal if your site uses a database.
• php-fpm: PHP FastCGI Process Manager – handles PHP requests for websites. Normal.
• cron: Runs scheduled tasks. Normal, but check the crontab (see step 6) to see what it’s running.
• exim/dovecot: Mail server processes – normal if you use email through cPanel.

Investigating Suspicious Processes

1. Check the Command Path: Use ps -ef | grep (replace <process_name> with the name of the suspicious process). Look at the full command used to start it. Is the path legitimate?

   ps -ef | grep httpd

2. File System Check: If the command path looks odd, check the file exists and its contents.

   ls -l /path/to/the/file

   cat /path/to/the/file

   Look for anything unusual or unexpected.

3. Google Search: Copy the process name and command into Google. See if others have reported it as malicious.
4. Crontab Review: Check scheduled tasks to see if a suspicious process is being launched automatically.

   crontab -l

   This lists your user’s crontab entries. Look for any unfamiliar commands or scripts.

5. Check cPanel Logs: Examine the error logs in cPanel (usually under ‘Logs’ section) for related errors or warnings.
6. Run a Malware Scan: Use cPanel’s built-in malware scanner, or consider running a more comprehensive scan with tools like ClamAV if available.

If You Find Something Malicious

• Isolate the Account: If possible, suspend the account to prevent further damage.
• Contact Your Hosting Provider: They can help investigate and clean up any infections.
• Change Passwords: Change passwords for all accounts (cPanel, FTP, database) immediately.
• Restore from Backup: If you have a recent, clean backup, restoring it is often the fastest solution.