Author Topic: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}  (Read 511 times)

0 Members and 1 Guest are viewing this topic.

Offline
***

I've got the following mail from the firewall. Any idea what it means? I didn't see anything odd and the site is loading.
[/size]I've replaced the username with {USERNAME}.[/color]
[/size][/color]


[/size][/color]
[/size]Subjetct: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}[/color]
[/size]Time:    Thu Feb 14 22:38:21 2019 +0200[/color][/size]PID:     25646 (Parent PID:3086)Account: {USERNAME}Uptime:  67 seconds


Executable:

/opt/alt/php-fpm56/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool {USERNAME}


Network connections by the process (if any):

tcp: 127.0.0.1:42342 -> 127.0.0.1:3306


Files open by the process (if any):

/tmp/.ZendSem.Od78F8 (deleted)
/dev/urandom
/home/{USERNAME}/public_html/wp-content/wflogs/ips.php
/home/{USERNAME}/public_html/wp-content/wflogs/config.php
/home/{USERNAME}/public_html/wp-content/wflogs/attack-data.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-synced.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-livewaf.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-transient.php
/home/{USERNAME}/public_html/wp-content/wflogs/GeoLite2-Country.mmdb
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db
[/size]

Offline
*
Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
« Reply #1 on: March 01, 2019, 10:26:08 AM »
it's lfd notification for strange process could be related to malware on that account and you should scan it for malware.

you can also disable php-fpm process notifications if this is ok
/etc/csf/csf.pignore
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
« Reply #2 on: March 01, 2019, 11:51:05 PM »
I'm a newbie so please, can you tell me too how to stop it?
Regards

Offline
***
Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
« Reply #3 on: March 03, 2019, 04:14:47 AM »
The most important question is: 'These processes are legitimate..??'
If not, kill them, and investigate how they were activated.
If they are, why would you kill them .. ??

If you don't know if they are legitimate processes, try to learn more about the programs you have installed in your machine, and how they are executed, before to turn it public accessible. Your could have very serious security problems, too easily.

Regards,
Netino