ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Ignore a Suspicious Process/TCP Connection

https://mail.forum.configserver.com/viewtopic.php?t=6356

Page 1 of 1

Ignore a Suspicious Process/TCP Connection

Posted: 11 Mar 2013, 13:07
by osmanbsd
Hi Everyone,

First of all thanks a lot for this wonderful product.

I am having issue on a server where I have memcached running for a VBulletin forum. I have put an entry for memcached process in csf.pignore file but I think it has nothing to do with the alerts I am getting relating to memcahced TCP connections

Code: Select all

Executable:
 /usr/bin/php
 
Command Line (often faked in exploits):
 /usr/bin/php /home/xxxx/public_html/vb/vbseo.php
 
Network connections by the process (if any):
 tcp: 127.0.0.1:57479 -> 127.0.0.1:11211
Any idea how can I put any process on ignore based on TCP port or any other idea?
Thanks a lot for reading.

Regards
usman

Re: Ignore a Suspicious Process/TCP Connection

Posted: 11 Mar 2013, 18:45
by Sergio
Try ignoring by user, edit cxs.pignore and add:
user:xxxx

Re: Ignore a Suspicious Process/TCP Connection

Posted: 11 Mar 2013, 20:16
by osmanbsd
Hi,

Thanks a lot for your reply, but I can not do this as this is the main and most important website on server which is running under suphp.

Regards
usman

Re: Ignore a Suspicious Process/TCP Connection

Posted: 12 Mar 2013, 01:46
by Sergio
You couldn't use csf.pignore with IPs, you have to set a cmd, exe or user. If you can use user, then try for cmd, like this:
cmd:/home/xxxx/public_html/vb/vbseo.php
this will ignore the process done by vbseo.php
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited