Page 1 of 1

Suspicious process running under user

Posted: 24 Sep 2024, 14:05
by Archonnn
Hello people,

There are a lot of questions on this forum regarding this, and I have read most of them. As is usually the case, I am receiving a huge amount of notifications from CSF, from a cron.php that the user of this server has placed and wants to run every 5 minutes. This process is legit, and we want to keep it running. The output is this:

Executable:

/home/virtfs/<user>/opt/cpanel/ea-php73/root/usr/bin/php


Command Line (often faked in exploits):

/opt/cpanel/ea-php73/root/usr/bin/php -f /home/<user>/public_html/<path>/cron.php

I want to stop receiving these notifications. As far as I understand, I need to place the following line in the .pignore file:

exe:/home/virtfs/<user>/opt/cpanel/ea-php73/root/usr/bin/php

However, wouldn't that block ALL notifications from php on this user? This is the only user on the server, so I would be blocking important notifications.
Is there a way to block only notifications regarding this particular cron.php?

Thank you in advance,