Suspicious Process /wflogs/

Post Reply
DatFrog
Junior Member
Posts: 1
Joined: 13 Feb 2024, 01:36

Suspicious Process /wflogs/

Post by DatFrog »

I’m getting a number of emails from CSF for “Suspicious process running under user ____” for Wordfence logs.

Command Line (often faked in exploits):
php-fpm: pool website_url

Files open by the process (if any):
/dev/null
/tmp/.ZendSem.NCrsJg (deleted)
/home/server/public_html/website_url/wp-content/wflogs/ips.php
/home/server/public_html/website_url/wp-content/wflogs/config.php
/home/server/public_html/website_url/wp-content/wflogs/attack-data.php
/home/server/public_html/website_url/wp-content/wflogs/config-synced.php
/home/server/public_html/website_url/wp-content/wflogs/config-livewaf.php
/home/server/public_html/website_url/wp-content/wflogs/config-transient.php

Network connections by the process (if any):
It’s always from the ipv6 address of the server, with a (seemingly) random port, to a data server in CA at 443. I posted this same question on the Wordfence support board and they basically blew me off.

The interesting thing is, there are multiple other sites on this same server that are not flagging these emails. Any insight here?
Post Reply