Control Web Panel

Security => CSF Firewall => Topic started by: ring_c on February 15, 2019, 06:55:27 AM

Title: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
Post by: ring_c on February 15, 2019, 06:55:27 AM

I've got the following mail from the firewall. Any idea what it means? I didn't see anything odd and the site is loading.
[/size]I've replaced the username with {USERNAME}.[/color]
[/size][/color]


[/size][/color]
[/size]Subjetct: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}[/color]
[/size]Time:    Thu Feb 14 22:38:21 2019 +0200[/color][/size]PID:     25646 (Parent PID:3086)Account: {USERNAME}Uptime:  67 seconds


Executable:

/opt/alt/php-fpm56/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool {USERNAME}


Network connections by the process (if any):

tcp: 127.0.0.1:42342 (http://127.0.0.1:42342/) -> 127.0.0.1:3306 (http://127.0.0.1:3306/)


Files open by the process (if any):

/tmp/.ZendSem.Od78F8 (deleted)
/dev/urandom
/home/{USERNAME}/public_html/wp-content/wflogs/ips.php
/home/{USERNAME}/public_html/wp-content/wflogs/config.php
/home/{USERNAME}/public_html/wp-content/wflogs/attack-data.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-synced.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-livewaf.php
/home/{USERNAME}/public_html/wp-content/wflogs/config-transient.php
/home/{USERNAME}/public_html/wp-content/wflogs/GeoLite2-Country.mmdb
/etc/pki/nssdb/cert9.db
/etc/pki/nssdb/key4.db[/size]
Title: Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
Post by: studio4host on March 01, 2019, 10:26:08 AM
it's lfd notification for strange process could be related to malware on that account and you should scan it for malware.

you can also disable php-fpm process notifications if this is ok
/etc/csf/csf.pignore
Title: Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
Post by: Mighty Dr.Wolf on March 01, 2019, 11:51:05 PM
I'm a newbie so please, can you tell me too how to stop it?
Regards
Title: Re: lfd on {HOSTNAME}: Suspicious process running under user {USERNAME}
Post by: Netino on March 03, 2019, 04:14:47 AM
The most important question is: 'These processes are legitimate..??'
If not, kill them, and investigate how they were activated.
If they are, why would you kill them .. ??

If you don't know if they are legitimate processes, try to learn more about the programs you have installed in your machine, and how they are executed, before to turn it public accessible. Your could have very serious security problems, too easily.

Regards,
Netino