ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
http://mail.forum.configserver.com/

csf.pignore rules aren't working?

http://mail.forum.configserver.com/viewtopic.php?t=12487

Page 1 of 1

csf.pignore rules aren't working?

Posted: 29 Apr 2022, 12:26
by Ryan_D
Hi,

I've recently setup the emails for csf/lfd and I started getting tons of emails coming through, but most of them appear to be false positives.

I've added the following rules to csf.pignore but they don't appear to be working as the emails for the very same reasons are still coming through even after restarting both CSF and even the entire server.

Code: Select all

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* # LiteSpeed
pexe:/usr/local/lsws/bin/lshttpd.* # LiteSpeed
exe:/usr/local/lsmcd/bin/lsmcd # LiteSpeed

exe:/usr/bin/redis-server # Redis
exe:/usr/bin/node # Redis
cmd:/usr/bin/redis-server 127.0.0.1:6379 # Redis

exe:/opt/digitalocean/bin/do-agent # DigitalOcean

cmd:lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp # LiteSpeed Extra
pexe:^/usr/local/lsws/bin/lshttpd.* # LiteSpeed Extra
pexe:^/opt/alt/php.*/usr/bin/lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp\.cagefs # LiteSpeed Extra

Here is a copy of the emails (snippets of them) and the subjects.

Suspicious process running under user nobody
Executable: /usr/local/lsmcd/bin/lsmcd
Command Line (often faked in exploits): /usr/local/lsmcd/bin/lsmcd

Suspicious process running under user nobody
Executable: /usr/local/lsws/bin/lshttpd.6.0.11
Command Line (often faked in exploits): litespeed (lshttpd - #01)

Suspicious File Alert
File: /tmp/lsmcd/core.873669
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

Excessive resource usage: customwheelaccount
Exceeded: 60647 > 3600 (seconds)

Executable: /usr/bin/bash
Command Line: -bash

Excessive resource usage: do-agent
Exceeded: 906203 > 3600 (seconds)

Executable: /opt/digitalocean/bin/do-agent
Command Line: /opt/digitalocean/bin/do-agent --syslog

Excessive resource usage: mysql
Exceeded: 906203 > 3600 (seconds)

Executable: /usr/sbin/mariadbd
Command Line: /usr/sbin/mariadbd

Suspicious process running under user redis
Executable: /usr/bin/redis-server
Command Line (often faked in exploits): /usr/bin/redis-server 127.0.0.1:6379

Excessive resource usage: redis
Exceeded: 909835 > 3600 (seconds)

Executable: /usr/bin/redis-server
Command Line: /usr/bin/redis-server 127.0.0.1:6379
I'd greatly appreciate some help with this!

Thanks

Re: csf.pignore rules aren't working?

Posted: 06 Oct 2024, 09:56
by minadreapta
Hi,

did you find a solution to this problem? I just installed lsmcd and i get tons of emails like this:

Code: Select all

Time:    Sun Oct  6 11:45:23 2024 +0300
PID:     98388 (Parent PID:98387)
Account: nobody
Uptime:  43524 seconds


Executable:

/usr/local/lsmcd/bin/lsmcd


Command Line (often faked in exploits):

/usr/local/lsmcd/bin/lsmcd


Network connections by the process (if any):

tcp: 127.0.0.1:11211 -> 127.0.0.1:33252

Re: csf.pignore rules aren't working?

Posted: 21 Oct 2024, 20:13
by Sergio
Does a "pignore" will help you on this?

Sergio
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited