ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

All my atempts to ignore failed

https://mail.forum.configserver.com/viewtopic.php?t=12354

Page 1 of 1

All my atempts to ignore failed

Posted: 16 Dec 2021, 19:36
by T313C0mun1s7
I have been beating my head on this for quite a while. I have lost track at all of the things I have tried. I am getting notices of the following:

Code: Select all

Executable:

/opt/cpanel/ea-php74/root/usr/bin/php.cagefs


Command Line (often faked in exploits):

/usr/local/bin/ea-php74 -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php


Network connections by the process (if any):

udp: 10.100.13.41:54522 -> 10.100.0.2:53
I have this currently in pignore

Code: Select all

pcmd:/opt/cpanel/ea-php.*/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php
as well as the portion starting with the path to the script itself in signore. I have even gotten very generic and attempted to wildcard everything prior to cron.php. Nothing I have tried has worked. I do want to be able to keep the version of PHP with a wildcard to allow for version changes.

I'm looking for how to ignore this script. It is legitimate and it runs every 10 minutes. Thank you.

Re: All my atempts to ignore failed

Posted: 27 Dec 2021, 18:14
by Sergio
Hi.
You have to take in mind that when you are using "PCMD" you have to use REGEX notation, so, I think you should try:
[code
pcmd:/opt/cpanel/ea-php\d+/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron\.php
[/code]
Yours:
pcmd:/opt/cpanel/ea-php.*/root/usr/bin/php -q /home/p42portal/public_html/modules/addons/DNSManager2/cron/cron.php

I just did two minor changes:
ea-php\d+ instead of ea-php.*
cron\.php instead of cron.php

Hope this helps.

Merry Christmas,
Sergio
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited