Page 1 of 1

squirrelmail is reported as Suspicious Process

Posted: 27 Jun 2008, 07:02
by prabudh
Upgraded 3 servers to latest CSF and all of them report Suspicious process when users are accessing email using squirrelmail.

Time: Fri Jun 27 00:25:46 2008
PID: 20395
Account: dxxxnd
Uptime: 161 seconds
Executable:
/usr/local/cpanel/3rdparty/bin/php-cgi
Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/cpanel/base/3rdparty/squirrelmail/src/right_main.php
Network connections by the process (if any):
tcp: 127.0.0.1:35159 -> 127.0.0.1:143
Is this normal or i need to update any settings ?

Posted: 28 Jun 2008, 08:41
by powvex
same here:

Executable:
/usr/local/cpanel/3rdparty/bin/php-cgi


Command Line (often faked in exploits):
/usr/local/cpanel/3rdparty/bin/php-cgi /usr/local/cpanel/base/3rdparty/squirrelmail/src/download.php

Posted: 07 Jul 2008, 16:55
by chirpy
If you want an exception for /usr/local/cpanel/3rdparty/bin/php-cgi scripts add to csf.pignore:

exe:/usr/local/cpanel/3rdparty/bin/php-cgi

The restart lfd.