Page 1 of 1

"Suspicious Process" -- how to debug?

Posted: 10 Jun 2021, 07:16
by rudolfl
Hi all,

I am getting a lot of e-mails about suspicions process running. I did find many threads about it and all pretty much talk about how to silience those.
I want to fix (if possible) the underlying problem.

Those warnings are generally only specify user and PHP executable.

Network connectiosn I am getting are:
Network connections by the process (if any):

tcp: 127.0.0.1:41462 -> 127.0.0.1:11211
tcp: 127.0.0.1:41016 -> 127.0.0.1:11211


(this is connection from localhost to memcached server running on same lolcalhost).

I believe issue is most likely related to automated bots trying to access the site for the purpose of scanning or brute force.

What I would like to do is to find offending script and offending user (IP). Taking a look at apache log files does help to a point. I did find few offending IPs and blocked them, but there is more.

Sites are all running WordPress.

Any pointers on how to investigate will be greatly appreciated.

Thanks,
Rudolf