Hi all,
I am getting a lot of e-mails about suspicions process running. I did find many threads about it and all pretty much talk about how to silience those.
I want to fix (if possible) the underlying problem.
Those warnings are generally only specify user and PHP executable.
Network connectiosn I am getting are:
Network connections by the process (if any):
tcp: 127.0.0.1:41462 -> 127.0.0.1:11211
tcp: 127.0.0.1:41016 -> 127.0.0.1:11211
(this is connection from localhost to memcached server running on same lolcalhost).
I believe issue is most likely related to automated bots trying to access the site for the purpose of scanning or brute force.
What I would like to do is to find offending script and offending user (IP). Taking a look at apache log files does help to a point. I did find few offending IPs and blocked them, but there is more.
Sites are all running WordPress.
Any pointers on how to investigate will be greatly appreciated.
Thanks,
Rudolf