Suspicious process running email

I get an e-mail every 5 minutes regarding on issue on one of the accounts of my server. It's always the same IP in Russia. I've blocked that IP in CSF and restarted it but I keep on getting these notifications and don't know how to block this IP in another way. What can I do !? Thanks !


Time:    Sun Mar  4 09:44:06 2018 +0100
PID:     28046 (Parent PID:22405)
Account: klarisd
Uptime:  69 seconds


Executable:

/opt/cpanel/ea-php71/root/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool example_com                             


Network connections by the process (if any):

tcp: 149.202.xx.xx:50810 -> 193.219.xxx.xx:443


Files open by the process (if any):



Memory maps by the process (if any):

556b93627000-556b93c04000 r-xp 00000000 09:02 2385097                    /opt/cpanel/ea-php71/root/usr/sbin/php-fpm
556b93e03000-556b93e95000 r--p 005dc000 09:02 2385097                    /opt/cpanel/ea-php71/root/usr/sbin/php-fpm
556b93e95000-556b93eb2000 rw-p 0066e000 09:02 2385097                    /opt/cpanel/ea-php71/root/usr/sbin/php-fpm
556b93eb2000-556b94115000 rw-p 00000000 00:00 0                          [heap]
556b94115000-556b941bf000 rw-p 00000000 00:00 0                          [heap]
7fa150000000-7fa150021000 rw-p 00000000 00:00 0

rpvw

March 04, 2018 09:04

php-fpm is not usually regarded as a suspicious process, and should probably be added to the csf.pignore file

aolbrechts

March 05, 2018 11:18

OK, but it seems it was (very) frequent sollicitations from a Russian IP which shouldn't be accessing the server so I'm looking for a way to beck specific IPs when I see this kind of issues ...

cPanelMichael

March 06, 2018 13:49

I've blocked that IP in CSF and restarted it but I keep on getting these notifications and don't know how to block this IP in another way. What can I do !?

Hello, Is it the same IP address that you blocked via CSF, or part of the same range? Also, how specifically did you block the IP address? Thank you.

March 06, 2018 14:04

It was always the same IP address I went in CSF >> Quick deny >> Block IP address

March 06, 2018 15:15

Hello, It seems like an issue with CSF if the IP address continues to make successful new connections after it's blocked in your firewall. There's a thread here you may find helpful: Or, consider contacting CSF's support team for help determining why the IP block isn't working. Thank you.

March 07, 2018 09:36

OK thanks, I'll have a look at this!

keat63

March 15, 2018 14:43

Just check that you didn't accidentally add the IP to CSF whitelist. Incidenatlly, I blocked the entire country.

Suspicious process running email

Comments

Didn't find what you were looking for?