Hi all,
I am constantly getting notifications about suspicious process being run and process is php-fpm
"Executable:
/opt/cpanel/ea-php73/root/usr/sbin/php-fpm
Command Line (often faked in exploits):
php-fpm: pool <username>
Network connections by the process (if any):
tcp: 127.0.0.1:51036 -> 127.0.0.1:11211
"
This started to happen after I installed and started to use memcached. And I can see that "suspicious" process is connecting to memcached at the time of report.
Now, how do I stop it?
Ideally, I would like to ignore processes with certain destination ports (in my case port 11211 where memcached is listening). Did not find a way to ignore processes based on port.
So, tried to exclude php-fpm through csf.pignore:
cmd:php-fpm: pool <username>
exe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
First line was an attempt to ignore process by user, second line was an attempt to globally ignore php-fpm.
Does not work. Still getting e-mails all the time.
Yes, I did restart firewall with csf -ra
Any ideas how to stop those notifications?
Thanks,
Rudolf
Suspicious Process. Can't stop the notifications
Re: Suspicious Process. Can't stop the notifications
I don't know if csf -ra restarts LFD as well.
Did you try restarting LFD after making your changes to pignore just in case?
I read somewhere that LFD had to be restarted as well for it to work properly. Might be worth a try.
Did you try restarting LFD after making your changes to pignore just in case?
I read somewhere that LFD had to be restarted as well for it to work properly. Might be worth a try.