php-fpm Suspicious process running under user

athanasiusrc

July 01, 2019 11:23

I've seen other threads mention this notice and how to disable it. My question is, how do I know this is something I can disregard and that it isn't a security problem? We weren't getting this error until last night and now we're getting it almost every minute.


Time:    Mon Jul  1 10:19:16 2019 -0600

PID:     15384 (Parent PID:27713)

Account: -------

Uptime:  122 seconds



Executable:


/opt/cpanel/ea-php72/root/usr/sbin/php-fpm



Command Line (often faked in exploits):


php-fpm: pool ---------_com



Network connections by the process (if any):


tcp: Removed:36104 -> Removed:443



Files open by the process (if any):


/dev/null

/tmp/.ZendSem.t8mCpN (deleted)

/dev/urandom

Comments

5 comments

cPanelMichael

July 03, 2019 18:50
My question is, how do I know this is something I can disregard and that it isn't a security problem?

Hello @athanasiusrc, A background in System Administration (specific to Security) is generally recommended to investigate and assess notifications like this. While you could point to the name of the files seen in the output and conclude it's a false positive based on similar reports, you must also consider that exploits are sometimes designed from the standpoint of "make the detection of this exploit resemble what's often seen in false positives". Specific to this topic, the discussion on the following thread should help: Thank you.
0
athanasiusrc

July 17, 2019 14:38
Thank you for the suggestions. A malware scan of the system didn't find anything. We'll move up to something more robust and see if it finds anything.
0
garconcn

July 17, 2019 17:37
Looks like your PHP script was connecting to a remote IP on port 443, you may use whois to find the provider of the remote IP. eg: if you have wordpress updraft plugin, it will make a backup on your server and send the backup to remote IP. In this case, it's legitimate. [QUOTE] tcp: Removed:36104 -> Removed:443
0
athanasiusrc

July 17, 2019 17:40
Yes, we have updraft. How can I disable the warning?
0
garconcn

July 17, 2019 18:02
Modify /etc/csf/csf.pignore and add pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
or ignore user user:username
Then restart csf csf -ra
Doing this you might miss real suspicious process. So, it's better just ignore the warning
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?