Suspicious process running under user
Normally I can figure out what these mean, but this one has me stumped. Am I secure?
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php /home/apple509/public_html/index.php
Network connections by the process (if any):
tcp: {server IP}:50181 -> 157.56.177.100:80
Files open by the process (if any):
Memory maps by the process (if any):
00400000-00d31000 r-xp 00000000 09:03 672524 /usr/bin/php
00f31000-00ff7000 rw-p 00931000 09:03 672524 /usr/bin/php
00ff7000-0101a000 rw-p 00000000 00:00 0
016f3000-04edd000 rw-p 00000000 00:00 0 [heap]
7f12acdfe000-7f12aceff000 rw-p 00000000 00:00 0
7f12acfb6000-7f12acfbb000 r-xp 00000000 09:03 3407898 /lib64/libnss_dns-2.12.so
7f12acfbb000-7f12ad1ba000 ---p 00005000 09:03 3407898 /lib64/libnss_dns-2.12.so
7f12ad1ba000-7f12ad1bb000 r--p 00004000 09:03 3407898 /lib64/libnss_dns-2.12.so
7f12ad1bb000-7f12ad1bc000 rw-p 00005000 09:03 3407898 /lib64/libnss_dns-2.12.so
....
The list goes on for quite a bit. Any help much appreciated.
-
Whats going on with the index.php? RSS feed connecting to something microsoft (157.56.177.100) and timing out, maybe? The email is from CSF/LFD. 0 -
That seems pretty plausible. This is a wordpress site, so index.php is a rabbit trail into other files. What's the easiest way to track the cause? 0 -
Hello, You can find a few threads regarding this alert on the CSF/LFD forums. Here is an example of what to search for on Google: "Network connections by the process" site:forum.configserver.com
Thank you.0
Please sign in to leave a comment.
Comments
3 comments