Page 1 of 1

How to add rule to csf.ignore

Posted: 13 Jan 2017, 00:15
by aky007
Hi Everyone,

I tired to resolve some false alert by add the following rules to cdf.ignore but still can't stop them. :confused: :confused:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/522/bin/perl

Code: Select all

exe:/usr/local/lsws/bin/lshttpd.5.1.11

lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831309
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

-----------------------------------------------------------------------------------

lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831841
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

-----------------------------------------------------------------------------------

lfd on domain.com: Suspicious process running under user nobody
Time: Fri Jan 13 07:06:21 2017 +0800
PID: 900025 (Parent PID:900023)
Account: nobody
Uptime: 72 seconds


Executable:

/usr/local/lsws/bin/lshttpd.5.0.18


Command Line (often faked in exploits):

litespeed (lshttpd)


Network connections by the process (if any):

tcp: 127.0.0.1:443 -> 0.0.0.0:0
tcp: 127.0.0.1:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:4433 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:443 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:7080 -> 0.0.0.0:0

-----------------------------------------------------------------------------------

Please help.

Thanks :D
Moderated Message:
Please do not bump threads

Re: How to add rule to csf.ignore

Posted: 15 Aug 2017, 15:10
by Havri
Hello,

You should use the pexe regex rule, like so in /etc/csf/csf.pignore:

Code: Select all

pexe:^/usr/local/lsws/bin/lshttpd.*$
Let me know if it works.

Regards.

Re: How to add rule to csf.ignore

Posted: 11 Feb 2020, 22:46
by webintel
Did it work?