CSF csf.pignore - ignore WGET correctly?

Post Reply
tppweb
Junior Member
Posts: 1
Joined: 22 Nov 2023, 01:54

CSF csf.pignore - ignore WGET correctly?

Post by tppweb »

Recently I disabled WP-CRON for wordpress and started using CPANEL with WGET to replace it. I've started getting emails "lfd on XXXXX: Suspicious process running under user". I found some instructions on where to go to tell CSF to ignore these in the /etc/csf/csf.pignore edit, but I'm unclear exactly how to do this. Here is what the LFD emails are showing:

Executable:
/home/virtfs/SOMEUSER/usr/bin/wget

Command Line (often faked in exploits):
wget -q -O - https://www.SOMEUSER.com/wp-cron.php?doing_wp_cron

I have several websites using this (and more soon) so ideally I would like to do a wildcard for this. So far I tried this:

exe:/usr/bin/wget

Which didn't work, likely because its not the full path. So would I use something like this?

pexe:/home/virtfs/.*/usr/bin/wget

So it works for all accounts? Or would it be this one?

pcmd:/home/virtfs/.*/usr/bin/wget

Any help is greatly appreciated :).
Post Reply