ConfigServer Community Forum

Hi all,

I am constantly getting notifications about suspicious process being run and process is php-fpm

"Executable:

/opt/cpanel/ea-php73/root/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool <username>


Network connections by the process (if any):

tcp: 127.0.0.1:51036 -> 127.0.0.1:11211
"

This started to happen after I installed and started to use memcached. And I can see that "suspicious" process is connecting to memcached at the time of report.

Now, how do I stop it?
Ideally, I would like to ignore processes with certain destination ports (in my case port 11211 where memcached is listening). Did not find a way to ignore processes based on port.

So, tried to exclude php-fpm through csf.pignore:
cmd:php-fpm: pool <username>
exe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm

First line was an attempt to ignore process by user, second line was an attempt to globally ignore php-fpm.
Does not work. Still getting e-mails all the time.

Yes, I did restart firewall with csf -ra

Any ideas how to stop those notifications?

Thanks,
Rudolf

I don't know if csf -ra restarts LFD as well.
Did you try restarting LFD after making your changes to pignore just in case?

I read somewhere that LFD had to be restarted as well for it to work properly. Might be worth a try.