ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Help With Pignore Syntax Suspicious Process

https://mail.forum.configserver.com/viewtopic.php?t=11778

Page 1 of 1

Help With Pignore Syntax Suspicious Process

Posted: 12 May 2020, 19:22
by consultant
I'm getting these suspicious process warnings:

Executable:

/home/virtfs/elemcms/opt/cpanel/ea-php73/root/usr/bin/php

Command Line (often faked in exploits):

/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php

I'm not a REGEX expert and the documentation on all the different configs in the Pignore file is a bit thin.

My PHP version may change in the future so I just want to ignore execution of PHP with the cron.php script no matter what the path. My understanding is that you would use pcmd for this? I tried both of these:

pcmd:^/cron.php
pcmd:*/cron.php

Neither worked.

Re: Help With Pignore Syntax Suspicious Process

Posted: 12 May 2020, 19:23
by consultant
Duh, in posting this I think I just figured out the problem. There is no forward slash leading the cron.php parameter!

Did I get it right? Still curious is ^ or * should be use to provide a wild card for the command path.

Re: Help With Pignore Syntax Suspicious Process

Posted: 18 May 2020, 17:42
by consultant
Neither one of these seem to work

pcmd:*cron.php
pcmd:^cron.php

Could it be I need to escape the period? \.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited