Suspicious process running under user

popeye

• February 22, 2014 14:09

Hi could someone please tell me what this means below, i have started getting 100s a day not sure why PID: 6749 (Parent PID:1287) Account: veg Uptime: 229809 seconds Executable: /usr/bin/php Command Line (often faked in exploits): /usr/bin/php /home/veg/public_html/index.php

• 

  robb3369

  • February 22, 2014 19:23

  In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours. The script running is their index.php on their site. I would go into the process manager in WHM and kill that process...

  0
• 

  popeye

  • February 22, 2014 19:38

  [quote="robb3369, post: 1579082">In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours. The script running is their index.php on their site. I would go into the process manager in WHM and kill that process...
  Thanks i have just killed, but wont it come back again if its a bad script ?

  0
• 

  robb3369

  • February 22, 2014 20:40

  I would investigate WHY is was running... but just keep an eye on it.

  0
• 

  popeye

  • February 22, 2014 20:45

  [quote="robb3369, post: 1579131">I would investigate WHY is was running... but just keep an eye on it.
  Not really sure how to investigate it, but will keep an eye on it

  0
• 

  robb3369

  • February 22, 2014 20:51

  Well, ssh into the server and open the file and look at it... What software is the site running, like joomla, wordpress, or ???...

  0
• 

  popeye

  • February 22, 2014 21:04

  Its running Wordpress

  0
• 

  robb3369

  • February 22, 2014 23:31

  Take a look into the wp-content/plugins directory and see what may of been added... this will only who what plugins were installed, not necessarily which ones are actually enabled. Also, one the bottom of those emails there is sometime a section that lists the "Network connections by the process". This sometimes help determine what the issue is. We usually see this if the website is pulling RSS feeds or connecting to something else.

  0
• 

  popeye

  • February 23, 2014 08:25

  Hi i sent an email to this customer telling them they need to get there site looked at, And also had this one below today for another customer, Its only this server i get them off all my others i never get any. /usr/local/cpanel/3rdparty/perl/514/bin/perl

  0
• 

  cPanelMichael

  • February 24, 2014 14:04

  Hello :) Please keep in mind this notification is from the third-party application you have installed (CSF/LFD) and is not an alert directly from cPanel. You can find several other posts asking about this particular alert. EX: LFD - Suspicious Process Thank you.

  0
• 

  popeye

  • February 24, 2014 14:22

  Thanks very much

  0

Please sign in to leave a comment.