Cant get lsphp command whitelisting in /etc/csf/csf.pignore to work
Hi Guys,
We are getting alot of these errors:
Executable:
/opt/cpanel/ea-php72/root/usr/bin/lsphp.cagefs
Command Line (often faked in exploits):
lsphp:/home/[user]/public_html/wp-cron.php
They are very much a false-positive, since wp-cron.php i normal script in all WP installations.
So how do we whitelist this cmd?
I have tried adding this in /etc/csf/csf.pignore:
We have also tried:
But it does not seem to have an effect. Any ideas?
pcmd:lsphp:/home/*/public_html/wp-cron.php
pcmd:lsphp:/home/*/public_html/*/wp-cron.php
pcmd:lsphp:/home/*/*/wp-cron.phpWe have also tried:
pcmd:/usr/bin/php /home/*/public_html/wp-cron.php
pcmd:/usr/bin/php /home/*/public_html/*/wp-cron.php
pcmd:/usr/bin/php /home/*/*/wp-cron.phpBut it does not seem to have an effect. Any ideas?
-
I don't do this but would try... pcmd:lsphp:/home/.*/public_html/wp-cron\.php
andpcmd:lsphp:/home/.*/public_html/.*/wp-cron\.php
Also note that Chirpy warns... [QUOTE] # It is strongly recommended that you use command line ignores very carefully # as any process can change what is reported to the OS.0 -
This is also discussed on their forums here: Process Tracking and csf.pignore - ConfigServer Community Forum and it's also discussed in Section 8 of their readme here: Process Tracking and csf.pignore - ConfigServer Community Forum 0 -
Thanks guys - looks like the code from fuzzylogic works :) 0 -
Ideally you'd want to add the pignore for the lsphp binaries instead of specific scripts: pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*0 -
Ideally you'd want to add the pignore for the lsphp binaries instead of specific scripts:
pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*
But would this not whitelist all processes? Then we would not get any alerts for processes that might acutually be suspicious?0 -
That would whitelist all lsphp processes it would not whitelist all processes 0
Please sign in to leave a comment.
Comments
6 comments