ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

wp-admin/admin-ajax.php causing Suspicious process running

https://mail.forum.configserver.com/viewtopic.php?t=8110

Page 1 of 1

wp-admin/admin-ajax.php causing Suspicious process running

Posted: 22 Sep 2014, 02:44
by cdenterprises
Hello,

I'm been receiving this e-mail from all my web hosting accounts. I have researched the web and can't find a solution. I'm aware of being able add this script to the ignore file. However, I'd like to make sure this is not a problem and hopefully find the cause.
Thank you for your help!

I'm using the stable version of cPanel with Cloud Linux.

Email Subject: lfd on server-domain-name: Suspicious process running under user <username>

Time: Mon Sep 22 00:08:03 2014 +0000
PID: 533391 (Parent PID:528622)
Account: <username>
Uptime: 73 seconds

Executable:

/usr/selector/php


Command Line (often faked in exploits):

/usr/bin/php /home/<username>/public_html/wp-admin/admin-ajax.php


Network connections by the process (if any):

tcp: 10.0.0.186:37272 -> <server_ip>:80

Files open by the process (if any):

(deleted)/tmp/session_mm_cgi-fcgi513.sem


Memory maps by the process (if any):

00400000-00d8c000 r-xp 00000000 ca:50 1377367 /usr/selector/php
00f8b000-01052000 rw-p 0098b000 ca:50 1377367 /usr/selector/php
01052000-01076000 rw-p 00000000 00:00 0
012bd000-03779000 rw-p 00000000 00:00 0 [heap]
7f6280000000-7f6280021000 rw-p 00000000 00:00 0
7f6280021000-7f6284000000 ---p 00000000 00:00 0
7f6286002000-7f6286443000 rw-p 00000000 00:00 0
[vsyscall]

Re: wp-admin/admin-ajax.php causing Suspicious process runni

Posted: 22 Sep 2014, 16:40
by Sergio
Have you tried to add the following line in csf.pignore?
exe:/usr/selector/php

Re: wp-admin/admin-ajax.php causing Suspicious process runni

Posted: 24 Sep 2014, 23:57
by cdenterprises
Like I said in my original post. I do not want to do this as this would not be the correct way of handling the issue. If the script does pose a problem in the future where it's running for 2 minutes plus, I need to know about it.

Is there away give more allowance on the amount of time that the script can run for before it triggers the email?

Thank you for any help!

Re: wp-admin/admin-ajax.php causing Suspicious process runni

Posted: 06 Oct 2014, 20:24
by cdenterprises
FYI: I found the solution.
The correct way to fix this problem is to view the CSF configuration file.
The setting: PT_Limit. Increase this to a higher level that is acceptable for your server.

In the email I received it stated.
Time: Mon Sep 22 00:08:03 2014 +0000
PID: 533391 (Parent PID:528622)
Account: <username>
Uptime: 73 seconds

The uptime is what you want to increase the PT_Limit too. I increased the uptime to 75 seconds. Anything above 75 seconds I receive an email alert. This way I can verify that my clients website is not under attack or verify that a bad script is not running.

Hope this helps.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited