I'm getting these suspicious process warnings:
Executable:
/home/virtfs/elemcms/opt/cpanel/ea-php73/root/usr/bin/php
Command Line (often faked in exploits):
/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php
I'm not a REGEX expert and the documentation on all the different configs in the Pignore file is a bit thin.
My PHP version may change in the future so I just want to ignore execution of PHP with the cron.php script no matter what the path. My understanding is that you would use pcmd for this? I tried both of these:
pcmd:^/cron.php
pcmd:*/cron.php
Neither worked.
Help With Pignore Syntax Suspicious Process
-
consultant
- Junior Member
- Posts: 25
- Joined: 24 Aug 2016, 04:49
-
consultant
- Junior Member
- Posts: 25
- Joined: 24 Aug 2016, 04:49
Re: Help With Pignore Syntax Suspicious Process
Duh, in posting this I think I just figured out the problem. There is no forward slash leading the cron.php parameter!
Did I get it right? Still curious is ^ or * should be use to provide a wild card for the command path.
Did I get it right? Still curious is ^ or * should be use to provide a wild card for the command path.
-
consultant
- Junior Member
- Posts: 25
- Joined: 24 Aug 2016, 04:49
Re: Help With Pignore Syntax Suspicious Process
Neither one of these seem to work
pcmd:*cron.php
pcmd:^cron.php
Could it be I need to escape the period? \.
pcmd:*cron.php
pcmd:^cron.php
Could it be I need to escape the period? \.