Recently I disabled WP-CRON for wordpress and started using CPANEL with WGET to replace it. I've started getting emails "lfd on XXXXX: Suspicious process running under user". I found some instructions on where to go to tell CSF to ignore these in the /etc/csf/csf.pignore edit, but I'm unclear exactly how to do this. Here is what the LFD emails are showing:
Executable:
/home/virtfs/SOMEUSER/usr/bin/wget
Command Line (often faked in exploits):
wget -q -O - https://www.SOMEUSER.com/wp-cron.php?doing_wp_cron
I have several websites using this (and more soon) so ideally I would like to do a wildcard for this. So far I tried this:
exe:/usr/bin/wget
Which didn't work, likely because its not the full path. So would I use something like this?
pexe:/home/virtfs/.*/usr/bin/wget
So it works for all accounts? Or would it be this one?
pcmd:/home/virtfs/.*/usr/bin/wget
Any help is greatly appreciated .