How to add rule to csf.ignore
Posted: 13 Jan 2017, 00:15
Hi Everyone,
I tired to resolve some false alert by add the following rules to cdf.ignore but still can't stop them.
lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831309
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken
-----------------------------------------------------------------------------------
lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831841
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken
-----------------------------------------------------------------------------------
lfd on domain.com: Suspicious process running under user nobody
Time: Fri Jan 13 07:06:21 2017 +0800
PID: 900025 (Parent PID:900023)
Account: nobody
Uptime: 72 seconds
Executable:
/usr/local/lsws/bin/lshttpd.5.0.18
Command Line (often faked in exploits):
litespeed (lshttpd)
Network connections by the process (if any):
tcp: 127.0.0.1:443 -> 0.0.0.0:0
tcp: 127.0.0.1:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:4433 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:443 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:7080 -> 0.0.0.0:0
-----------------------------------------------------------------------------------
Please help.
Thanks
Moderated Message:
I tired to resolve some false alert by add the following rules to cdf.ignore but still can't stop them.
Code: Select all
exe:/usr/local/cpanel/3rdparty/perl/522/bin/perl
Code: Select all
exe:/usr/local/lsws/bin/lshttpd.5.1.11
lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831309
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken
-----------------------------------------------------------------------------------
lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831841
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken
-----------------------------------------------------------------------------------
lfd on domain.com: Suspicious process running under user nobody
Time: Fri Jan 13 07:06:21 2017 +0800
PID: 900025 (Parent PID:900023)
Account: nobody
Uptime: 72 seconds
Executable:
/usr/local/lsws/bin/lshttpd.5.0.18
Command Line (often faked in exploits):
litespeed (lshttpd)
Network connections by the process (if any):
tcp: 127.0.0.1:443 -> 0.0.0.0:0
tcp: 127.0.0.1:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:4433 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:443 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:7080 -> 0.0.0.0:0
-----------------------------------------------------------------------------------
Please help.
Thanks
Moderated Message:
Please do not bump threads