Suspicious Process running under User

[LordLiverpool]

Hello CSF

I installed your wonderful plugin on Tuesday of this week.

Since then I've received 539 emails from LFD saying:

lfd on mail.myserver.tld: Suspicious process running under user myusername

Its found the same files for each domain on my server and they seem to be files from WordFence

Here follows the email:

Executable:

/home/virtfs/domain/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Network connections by the process (if any):

tcp: 123.123.123.123:39126 -> 123.123.123.123:80

Files open by the process (if any):

/home/virtfs/domain/dev/urandom
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/ips.php
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/config.php (deleted) /home/virtfs/domain/home/domain/public_html/wp-content/wflogs/attack-data.php

I've removed the domain name and the IP address.

Is my server compromised or is this a false positive?

Can anyone help me please?

Thanks.

[LordLiverpool]

Hey CSF

I installed your Firewall just over a week ago and since then I've had 1529 emails like the one above. (feeling overwhelmed)

How does this forum work?
Can I expect any help from CSF?
Or is it purely charitable contributions from the larger community?

Best Regards

[ForumAdmin]

http://forum.configserver.com/viewtopic.php?f=2&t=8580