Control Web Panel
Security => CSF Firewall => Topic started by: ring_c on February 15, 2019, 06:55:27 AM
-
I've got the following mail from the firewall. Any idea what it means? I didn't see anything odd and the site is loading.
[/size]I've replaced the username with {USERNAME}.[/color]
[/size][/color]
[/size][/color]
[/size]Subjetct: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}[/color]
[/size]Time: Thu Feb 14 22:38:21 2019 +0200[/color][/size]PID: 25646 (Parent PID:3086)Account: {USERNAME}Uptime: 67 seconds
Executable:
/opt/alt/php-fpm56/usr/sbin/php-fpm
Command Line (often faked in exploits):
php-fpm: pool {USERNAME}
Network connections by the process (if any):
tcp: 127.0.0.1:42342 (http://127.0.0.1:42342/) -> 127.0.0.1:3306 (http://127.0.0.1:3306/)
Files open by the process (if any):
/tmp/.ZendSem.Od78F8 (deleted)
/dev/urandom
/home/{USERNAME}/public_html/wp-content/wflogs/ips.php
/home/{USERNAME}/public_html/wp-content/wflogs/config.php
/home/{USERNAME}/public_html/wp-content/wflogs/attack-data.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-synced.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-livewaf.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-transient.php
/home/{USERNAME}/public_html/wp-content/wflogs/GeoLite2-Country.mmdb
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db[/size]
-
it's lfd notification for strange process could be related to malware on that account and you should scan it for malware.
you can also disable php-fpm process notifications if this is ok
/etc/csf/csf.pignore
-
I'm a newbie so please, can you tell me too how to stop it?
Regards
-
The most important question is: 'These processes are legitimate..??'
If not, kill them, and investigate how they were activated.
If they are, why would you kill them .. ??
If you don't know if they are legitimate processes, try to learn more about the programs you have installed in your machine, and how they are executed, before to turn it public accessible. Your could have very serious security problems, too easily.
Regards,
Netino