All my atempts to ignore failed

[T313C0mun1s7]

I have been beating my head on this for quite a while. I have lost track at all of the things I have tried. I am getting notices of the following:

Code: Select all

Executable:

/opt/cpanel/ea-php74/root/usr/bin/php.cagefs


Command Line (often faked in exploits):

/usr/local/bin/ea-php74 -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php


Network connections by the process (if any):

udp: 10.100.13.41:54522 -> 10.100.0.2:53

I have this currently in pignore

Code: Select all

pcmd:/opt/cpanel/ea-php.*/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php

as well as the portion starting with the path to the script itself in signore. I have even gotten very generic and attempted to wildcard everything prior to cron.php. Nothing I have tried has worked. I do want to be able to keep the version of PHP with a wildcard to allow for version changes.

I'm looking for how to ignore this script. It is legitimate and it runs every 10 minutes. Thank you.

[Sergio]

Hi.
You have to take in mind that when you are using "PCMD" you have to use REGEX notation, so, I think you should try:
[code
pcmd:/opt/cpanel/ea-php\d+/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron\.php
[/code]
Yours:
pcmd:/opt/cpanel/ea-php.*/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php

I just did two minor changes:
ea-php\d+ instead of ea-php.*
cron\.php instead of cron.php

Hope this helps.

Merry Christmas,
Sergio