I've recently setup the emails for csf/lfd and I started getting tons of emails coming through, but most of them appear to be false positives.
I've added the following rules to csf.pignore but they don't appear to be working as the emails for the very same reasons are still coming through even after restarting both CSF and even the entire server.
Code: Select all
pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* # LiteSpeed
pexe:/usr/local/lsws/bin/lshttpd.* # LiteSpeed
exe:/usr/local/lsmcd/bin/lsmcd # LiteSpeed
exe:/usr/bin/redis-server # Redis
exe:/usr/bin/node # Redis
cmd:/usr/bin/redis-server 127.0.0.1:6379 # Redis
exe:/opt/digitalocean/bin/do-agent # DigitalOcean
cmd:lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp # LiteSpeed Extra
pexe:^/usr/local/lsws/bin/lshttpd.* # LiteSpeed Extra
pexe:^/opt/alt/php.*/usr/bin/lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp\.cagefs # LiteSpeed Extra
Here is a copy of the emails (snippets of them) and the subjects.
Suspicious process running under user nobody
Executable: /usr/local/lsmcd/bin/lsmcd
Command Line (often faked in exploits): /usr/local/lsmcd/bin/lsmcd
Suspicious process running under user nobody
Executable: /usr/local/lsws/bin/lshttpd.6.0.11
Command Line (often faked in exploits): litespeed (lshttpd - #01)
Suspicious File Alert
File: /tmp/lsmcd/core.873669
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken
Excessive resource usage: customwheelaccount
Exceeded: 60647 > 3600 (seconds)
Executable: /usr/bin/bash
Command Line: -bash
Excessive resource usage: do-agent
Exceeded: 906203 > 3600 (seconds)
Executable: /opt/digitalocean/bin/do-agent
Command Line: /opt/digitalocean/bin/do-agent --syslog
Excessive resource usage: mysql
Exceeded: 906203 > 3600 (seconds)
Executable: /usr/sbin/mariadbd
Command Line: /usr/sbin/mariadbd
Suspicious process running under user redis
Executable: /usr/bin/redis-server
Command Line (often faked in exploits): /usr/bin/redis-server 127.0.0.1:6379
Excessive resource usage: redis
I'd greatly appreciate some help with this!Exceeded: 909835 > 3600 (seconds)
Executable: /usr/bin/redis-server
Command Line: /usr/bin/redis-server 127.0.0.1:6379
Thanks