Hacking attemps using UID 1001

jeffschips

• February 26, 2021 21:48

Can someone unpack for me the meaning of the following: Notice from CSF: lfd on local.domain.com: Excessive processes running under user localhost User:xxxxxxxx PID:28242 PPID:28000 Run Time:0(secs) Memory:250800(kb) RSS:22720(kb) exe:/opt/cpanel/ea-php73/root/usr/bin/php-cgi cmd:/opt/cpanel/ea-php73/root/usr/bin/php-cgi /home/xxxxxx/public_html/xxxxxxx.com/administrator/index.php and in apache logs many entries: [info] Executing "/home/xxxxxxxxxx/public_html/xxxxxxx.com/administrator/index.php" as UID 1001, GID 1003

• 

  cPRex Jurassic Moderator

  • March 01, 2021 13:55

  Hey there! It's definitely not a hacking attempt, but just CSF letting you know that it thinks that user has too many processes running. We have additional details on how you can configure this option here:

  0
• 

  jeffschips

  • March 01, 2021 14:09

  Hello @cPRex and thanks for the information. the xxxxxxx'd out is user 1001/1003 but so is my vpn user through which I connect to my server, so wondering if that's an issue.

  0
• 

  cPRex Jurassic Moderator

  • March 01, 2021 14:11

  Nope - that sounds normal to me. CSF is just touchy sometimes and thinks you shouldn't be using as many resources as you are. If the site is working well and not causing problems, you likely can just adjust the CSF notification and you'll be all set.

  0
• 

  jeffschips

  • March 01, 2021 14:18

  Pretty sure it was a bot as the link is to an admin login credential page for an application running on the server with repeated hits. Thanks for your help and stay safe and healthy.

  0
• 

  cPRex Jurassic Moderator

  • March 01, 2021 14:21

  You as well!

  0

Please sign in to leave a comment.