Suspicious Process running under User
Posted: 05 May 2017, 11:51
Hello CSF
I installed your wonderful plugin on Tuesday of this week.
Since then I've received 539 emails from LFD saying:
Here follows the email:
Is my server compromised or is this a false positive?
Can anyone help me please?
Thanks.
I installed your wonderful plugin on Tuesday of this week.
Since then I've received 539 emails from LFD saying:
Its found the same files for each domain on my server and they seem to be files from WordFencelfd on mail.myserver.tld: Suspicious process running under user myusername
Here follows the email:
I've removed the domain name and the IP address.Executable:
/home/virtfs/domain/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line (often faked in exploits):
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Network connections by the process (if any):
tcp: 123.123.123.123:39126 -> 123.123.123.123:80
Files open by the process (if any):
/home/virtfs/domain/dev/urandom
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/ips.php
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/config.php (deleted) /home/virtfs/domain/home/domain/public_html/wp-content/wflogs/attack-data.php
Is my server compromised or is this a false positive?
Can anyone help me please?
Thanks.