Suspicious process running under my user

Nurs1927

• September 24, 2017 03:52

Hello, lfd sends my a warning message related with Cpanel process. Does anyone know this process and can you tell me if it is a problem?
Time: Sun Sep 24 08:46:17 2017 +0200 PID: 31251 (Parent PID:30852) Account: myuser Uptime: 64 seconds Executable: /home/virtfs/myuser/opt/cpanel/ea-php70/root/usr/bin/php-cgi Command Line (often faked in exploits): /opt/cpanel/ea-php70/root/usr/bin/php-cgi Network connections by the process (if any): tcp: 94.130.70.19:37834 -> 94.130.70.19:21 Files open by the process (if any): /home/virtfs/myuser/dev/urandom
Thank you.

• 

  fuzzylogic

  • September 24, 2017 11:25

  That email alert tells you that php running in myuser's account made a connection to 94.130.70.19 on port 21. Port 21 is typically for ftp connections That ip is located in Ukraine. - Removed - php version was cpanels easyapache4 php 7.0 This connection would concern me if I could not determine it to be for an appropriate reason. An appropriate reason may be myuser's website doing ftp backups to 94.130.70.19

  0
• 

  cPanelMichael

  • September 25, 2017 17:25

  Hello, The previous post should help explain that warning message. Note it's from LFD/CSF and not cPanel. Here are some additional threads where it's discussed: Suspicious process running under user Suspicious process running under lfd suspicious process /usr/bin/php Thank you.

  0

Please sign in to leave a comment.