The Background Process Killer in WHM automatically terminates suspicious processes that users may run on the server. These processes (such as IRC bots and bouncers) are commonly used in denial-of-service (DoS) attacks and consume server resources. The system runs this check nightly during the upcp maintenance script and sends email notifications when it terminates a process.

Step 1: Log in to WHM

Open your browser and navigate to your server's WHM login page (typically https://your-server-ip:2087 or https://hostname:2087). Log in with your root or reseller credentials.

Step 2: Open Background Process Killer

In the WHM sidebar, navigate to Home » System Health » Background Process Killer.

Step 3: Select Processes to Kill

You will see a list of processes that can be automatically terminated. Check the boxes next to each process you want the system to kill. The available processes include:

  • BitchX — A command-line IRC (Internet Relay Chat) client.
  • bnc — An IRC bouncer that allows users to hide their connection source.
  • eggdrop — An IRC bot that can be used to create botnets for DoS attacks.
  • generic-sniffers — Packet sniffers used to capture and analyze network traffic.
  • guardservices — An IRC bot service.
  • ircd — The IRC daemon that enables IRC communication.
  • psyBNC — A popular IRC network bouncer.
  • ptlink — An IRC server software.
  • services — An IRC services bot.

Recommendation: Select all available processes for maximum protection.

Step 4: Add Trusted Users (Optional)

If you need to allow specific users to run any of the selected processes, enter their cPanel usernames in the Trusted users text box. For example, enter myuser to allow that user to run the selected processes.

  • Users with a UID below 99 (system accounts like root, MySQL, named) do not need to be added.
  • Separate multiple usernames with commas or place each on a new line.

Step 5: Save

Click Save to apply your settings. The system will enforce these rules during the next nightly maintenance run.

Important Notes

  • Processes in /usr/bin are not killed: The system assumes programs installed in /usr/bin were intentionally placed there by the administrator.
  • Rename detection: Malicious users often rename these processes to avoid detection. The Background Process Killer detects the process regardless of its name.
  • Email notifications: You will receive an email notification each time the system terminates a process.
  • Nightly execution: The process killer runs automatically during the nightly upcp script via /scripts/maintenance.

Troubleshooting

  • A legitimate user's process keeps getting killed: Add their username to the Trusted users box and save.
  • Not receiving notifications: Ensure the server's root email address is correctly configured in WHM under Home » Server Configuration » Basic WebHost Manager Setup.
  • Process still running after nightly check: Verify the correct process checkbox is selected. Note that the killer only runs during the nightly maintenance — it does not kill processes in real-time.

Reference: cPanel & WHM Documentation — Background Process Killer

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to set Default maximum email quota for new packages via WHM?

The Default maximum email quota for new packages setting in WHM controls the maximum email...
How to set Default disk usage quota for new packages via WHM?

The Default disk usage quota for new packages setting in WHM lets you define a default disk space...
How to set Default bandwidth limit for new packages via WHM?

When you create a new hosting package in WHM, cPanel uses a default bandwidth limit if you don't...
How to change cPanel PHP max POST size via WHM?

The cPanel PHP max POST size setting controls the maximum size of HTTP POST requests that...
How to change cPanel PHP max upload size via WHM?

What is the cPanel PHP Max Upload Size? The cPanel PHP max upload size setting controls the...