Suspicious activity on cpanel
Hi so im receiving multiple repeat notifications per day regarding the below. the destination IP is of a softaculous IP . Is this normal ? this started on April 18 and Iv only tried a local backups of my wordpress once via softaculous and never again.
Time: Sun Apr 21 12:10:06 2024
PID: 2303219 (Parent PID:2303215)
Uptime: 254491 seconds
Executable:
/usr/local/cpanel/3rdparty/php/81/bin/php
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/php -d auto_prepend_file=none -d auto_append_file=none /usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/index.live.php b1fa818d116fa814bfc230ee77f7ce4f
Network connections by the process (if any):
tcp: <my host IP>:37392 -> 192.198.80.6:443
Files open by the process (if any):
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/index.live.php
/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/index.live.php
-
The destination IP of 192.198.80.6 actually belongs to Softaculous the company.
https://www.softaculous.com/docs/admin/installing-softaculous-in-cpanel/
-- look under "Requirements"
Looks like that process had been running for about 70 hours at the time you grabbed the info. It might be that you have blocked 192.198.80.6 in your firewall and thus are not allowing Softaculous on the machine to reach Softaculous HQ. Might want to check that out.
0 -
Yes you are right , but unfortunately there was no block for those IPs .
0 -
Can you also share the subject/sender of this email?
0
Please sign in to leave a comment.
Comments
3 comments