Skip to main content

CSF Suspicious process emails regarding php-cgi or php-fpm (false positives)

RickKukiela

I keep getting false positive emails about suspicious php processes on our server. I have been struggling to understand what specifically about these processes that it finds "suspicious" - I have finally concluded that the issue appears to be an open outbound connection to a 3rd party. Here are some examples of outbound connections that it flags:

 

This one appears to be a google address, likely a CURL connection to validate a reCAPTCHA submission (this is the only conclusion I can make based on the code of the website):

tcp: xxx.xxx.xxx.126:55426 -> 172.253.62.106:443

172.253.62.106 reverses to bc-in-f106.1e100.net. and I found by searching up who 1e100.net is: 1e100.net is a domain name owned by Google that identifies their serversGoogle uses this domain name to simplify server identification and enhance security across all their products. The name is chosen because "1e100" is the scientific notation for the number one googol (1 followed by 100 zeros).

--

I also get warnings about connections to itself. These generally come from wordpress sites and I believe it has to do with how wp-cron functions out of the box. The target x.x.x.2 address is the actual IP the site is hosted on but on the same server as the source IP:

tcp: xxx.xxx.xxx.126:49238 -> xxx.xxx.xxx.2:443

--

Here is what I do not understand though: I have a plethora of sites on this server that make all kinds of 3rd party CURL connections for charging credit cards (Authorize.net) and getting UPS rate estimates.  These connections never get reported by the server. If the setting is to report all PHP scripts with an open outbound connection why are only some of these reported? Is there a whitelist for these that has the authorize.net/UPS IPs listed but not these other IP addresses? Why would google recaptcha servers not be on there? Does this not get updated automatically?

I would love to understand what is going on here and to resolve it so that I can give warning emails from the server proper attention instead of feeling like I need to ignore them because it ALWAYS turns out to be a waste of time. And I do not think just disabling the suspicious process emails for php-cgi/php-fpm is a proper solution either.

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  This would be an excellent question for the CSF team (https://configserver.com/technical-support/) as we don't make or distribute that tool, so I don't have a way to say how it is flagging those processes.

    0
  • durangod

    Hi rick,  check out this post  hope it helps :)

    https://support.cpanel.net/hc/en-us/community/posts/31789893880599-email-issues-php-fpm-vrs-php-cgi

     

     

    0
  • RickKukiela
    • Edited

    durangod Thanks, I checked out your post but I think we have different issues. It looks like adding the process to your csf.pignore file worked for your situation but in my scenario I do not want to stop receiving all suspicious process reports related to php-cgi and php-fpm. Rather I want to get to the bottom of what it's specifically taking issue with as the email does not really do a great job of explaining what about the process triggered the email. If its the process runtime, then that's worthless and stupid and I would be dumbfounded to find out that is the case. I hope the people that developed CSF would be smart enough to know that Apache keeps these processes alive for extended periods of time to be on-call to handle web requests as they come in as "workers". Since these process do not terminate after handling each request by default, using their runtime as a metric of suspicious activity is down right stupid.

    The only thing after after the process runtime that is pointed out in this email is the external network connection. And every one of these I get point out an external outbound network connection like this. This leads me to believe that the issue is the connection (which would make sense) and not the process run time (which would not).

    The only hang up I'm having at this point, is that the IPs in question are CloudFlare Ips which are already listed in the csf.ignore file so there is no reason why the software should find the outbound connection to an IP in on the ignore list as suspicious (in my opinion).

    I do have a thread open on the CSF forum here (for anyone interested): https://forum.configserver.com/viewtopic.php?t=13408&sid=1bbb80a31c7fa40bc98a2ef30ebd4a51

    I have not gotten any response over there at this time.

     

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post