lfd Suspicious process running under user nobody

devinh

• January 27, 2022 09:16

my whm version: 100.0.7 apache+nginx+npm+php-fpm I am getting hundredes of alert email from ConfigServer Security & Firewall - csf v14.15 as follows Time: Thu Jan 27 20:29:02 2022 +0530 PID: 2656 (Parent PID:31208) Account: nobody Uptime: 92 seconds Executable: /usr/sbin/nginx Command Line (often faked in exploits): nginx: worker process Network connections by the process (if any): tcp: server ip:443 -> 132.154.107.77:47762 tcp: server ip:443 -> 157.35.73.99:46326 tcp: server ip:443 -> 157.34.232.147:42008 tcp: server ip:443 -> 157.36.140.4:34246 tcp: server ip:443 -> 157.42.237.66:37784 tcp: server ip:443 -> 103.80.57.110:61627 tcp: server ip:443 -> 157.41.144.67:39656 tcp: server ip:443 -> 116.71.6.100:39138 tcp: server ip:443 -> 116.71.6.100:33499 tcp: server ip:443 -> 106.207.209.83:38060 tcp: server ip:443 -> 106.207.209.83:38062 Files open by the process (if any): /dev/null /dev/null /var/log/nginx/error.log /var/log/nginx/error.log /var/log/nginx/access.log anon_inode:[eventpoll] anon_inode:[eventfd] anon_inode:[eventfd] Memory maps by the process (if any): 560246222000-560246420000 r-xp 00000000 fd:01 1136988 /usr/sbin/nginx 560246620000-560246627000 r--p 001fe000 fd:01 1136988 /usr/sbin/nginx 560246627000-560246649000 rw-p 00205000 fd:01 1136988 /usr/sbin/nginx 560246649000-560246669000 rw-p 00000000 00:00 0 560247701000-560248e7b000 rw-p 00000000 00:00 0 [heap] 7f52e1969000-7f52e2369000 rw-s 00000000 00:04 2458603 /dev/zero (deleted) 7f52e2369000-7f52e2d69000 rw-s 00000000 00:04 2458602 /dev/zero (deleted) 7f52e2d69000-7f52e3769000 rw-s 00000000 00:04 2458601 /dev/zero (deleted) 7f52e3769000-7f52e3775000 r-xp 00000000 fd:01 310614 /usr/lib64/libnss_files-2.17.so 7f52e3775000-7f52e3974000 ---p 0000c000 fd:01 310614 /usr/lib64/libnss_files-2.17.so 7f52e3974000-7f52e3975000 r--p 0000b000 fd:01 310614 /usr/lib64/libnss_files-2.17.so 7f52e3975000-7f52e3976000 rw-p 0000c000 fd:01 310614 /usr/lib64/libnss_files-2.17.so 7f52e3976000-7f52e397c000 rw-p 00000000 00:00 0 7f52e397c000-7f52e3980000 r-xp 00000000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so 7f52e3980000-7f52e3b80000 ---p 00004000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so 7f52e3b80000-7f52e3b81000 r--p 00004000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so and more lines like these, I edited firewall pignore file from whm and added following lines 127.0.0.1 Include /etc/csf/cpanel.comodo.ignore Include /etc/csf/cpanel.ignore exe:/usr/libexec/dovecot/pop3 exe:/usr/libexec/dovecot/imap exe:/usr/libexec/dovecot/lmtp exe:/usr/local/libexec/dovecot/pop3 exe:/usr/local/libexec/dovecot/pop3-login exe:/usr/local/libexec/dovecot/imap exe:/usr/local/libexec/dovecot/imap-login exe:/usr/libexec/dovecot/stats exe:/usr/local/bin/freshclam exe:/usr/libexec/dovecot/managesieve-login exe:/usr/local/bin/clamd exe:/usr/share/cagefs-skeleton/usr/selector/lsphp exe:/usr/selector/lsphp exe:/usr/local/bin/lsphp pexe:/usr/local/php../bin/php_uploadscan\.sh pexe:/opt/alt/php../usr/bin/php-cgi pexe:/usr/local/php../sbin/php-fpm.. pexe:/usr/local/php../bin/php-cgi.. pexe:/usr/local/php../bin/php.. pexe:/opt/alt/php../usr/bin/lsphp exe:/usr/sbin/pure-ftpd exe:/usr/local/bin/pureftpd_uploadscan.sh exe:/usr/selector/php exe:/usr/selector/php-cli exe:/usr/sbin/nginx exe:/usr/sbin/proxyexec exe:/usr/sbin/nrpe pexe:/usr/local/safe-bin/fcgid..\.sh exe:/sbin/rpcbind exe:/sbin/rpc.statd exe:/usr/sbin/rsyslogd exe:/usr/sbin/atd exe:/usr/bin/wget exe:/usr/sbin/snmpd exe:/usr/bin/memcached exe:/bin/gzip exe:/bin/tar exe:/usr/bin/dbus-daemon exe:/sbin/rpcbind exe:/usr/lib/polkit-1/polkitd exe:/usr/sbin/avahi-daemon pexe:/usr/sbin/nginx Executable: /usr/sbin/nginx still I am getting alert messages, is it any problem, or is it ok? if ok then how to stop altert emails, thanks in advance..

• 

  ffeingol

  • January 27, 2022 14:23

  Your syntax looks incorrect. You'd just want: exe:/usr/sbin/nginx
  And then run csf -ra
  To restart CSF and LFD. pexec is looking for a Perl regular expression. Executable is not a parameter, it's just exe.

  1
• 

  devinh

  • January 27, 2022 14:37

  exe:/usr/sbin/nginx also in pignore file in middle of lists, but still getting emails, should I edit via ssh? can't I use whm user interface?

  0
• 

  ffeingol

  • January 27, 2022 15:45

  It does not matter if you do it via the WHM interface or SSH. Make sure that the "x" in nginx is the last character, and you don't have spaces etc. after it. I've see that mess it up.

  0
• 

  cPRex Jurassic Moderator

  • January 27, 2022 15:55

  Hey there! It's important to note that cPanel doesn't create or distribute the CSF firewall tool, so if that isn't behaving how you are expecting it would be best to reach out to them directly at Technical Support With your situation, adding the process to the ignore list like @ffeingol outlined will take care of the issue. Using either the command line or WHM will work just the same as long as the process is formatted correctly.

  0

Please sign in to leave a comment.