Trying to ignore a Perl script, but still getting alerts

Post Reply
GoWilkes
Junior Member
Posts: 29
Joined: 15 Nov 2010, 20:57

Trying to ignore a Perl script, but still getting alerts

Post by GoWilkes »

I've been getting a ton of "suspicious process" alerts lately about a Perl script that hasn't been modified since 2020. So I'm pretty sure these are false alerts.

The email says:
Time: Tue Dec 12 15:18:14 2023 -0500
PID: 19935 (Parent PID:23922)
Account: nobody
Uptime: 99 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

/usr/bin/perl /home/example/public_html/cgi-bin/cart.cgi
So I added this to csf.pignore via WHM, and of course let WHM restart lfd:

Code: Select all

pexe:/home/example/public_html/cgi-bin/cart\.cgi
I'm still getting emailed alerts on it, though.

The code looks right to me, so what have I done wrong?
Top
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Trying to ignore a Perl script, but still getting alerts

Post by Sergio »

Try this instead:

Code: Select all

 cmd:/usr/bin/perl /home/example/public_html/cgi-bin/cart.cgi
Sergio
Top
GoWilkes
Junior Member
Posts: 29
Joined: 15 Nov 2010, 20:57

Re: Trying to ignore a Perl script, but still getting alerts

Post by GoWilkes »

That worked, thanks :-)
Top
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Trying to ignore a Perl script, but still getting alerts

Post by Sergio »

Great to know it worked for you, your welcome.
Top
Post Reply

Return to “General Discussion (csf)”