CSF csf.pignore - ignore WGET correctly?
Recently I disabled WP-CRON for wordpress and started using CPANEL with WGET to replace it. I've started getting emails "lfd on XXXXX: Suspicious process running under user". I found some instructions on where to go to tell CSF to ignore these in the /etc/csf/csf.pignore edit, but I'm unclear exactly how to do this. Here is what the LFD emails are showing:
Executable:
/home/virtfs/SOMEUSER/usr/bin/wget
Command Line (often faked in exploits):
wget -q -O -
-
Hey there! This would be a better question for the CSF team at Support " ConfigServer Services as we don't provide support for CSF. It's also worth noting that you can't use wildcards in the path in CSF, so if that is the actual entry in your ignore file, I would expect that to not work. We have some additional conversation in our Forums about this here: CSF csf.pignore syntax for suspicious process 0 -
It's also worth noting that you can't use wildcards in the path in CSF, so if that is the actual entry in your ignore file, I would expect that to not work.
You can, as it states in csf.pignore: # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex- # puser:username as a perl regex
- # pcmd:command line as a perl regex
- # #
- You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.*
0 -
Oh interesting, I feel like that wasn't the case in the past. This is why I shouldn't comment on CSF things :D 0
Please sign in to leave a comment.
Comments
3 comments