ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Process Tracking Emails

https://mail.forum.configserver.com/viewtopic.php?t=8977

Page 1 of 1

Process Tracking Emails

Posted: 23 Sep 2015, 09:37
by IsraelPaya67
I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:

Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php
Network connections of the process (if any):
tcp: 37.187...

How can I avoid receiving these emails?

Thank you so much.

Regards.

Re: Process Tracking Emails

Posted: 24 Sep 2015, 14:40
by maever
Hello IsraelPaya67,

One solution would be adding the commandline (with a wildcard) of the script in question to the csf.pignore file such as the below example:

Code: Select all

pcmd:/usr/bin/php /home/.*/public_html/wp-cron.php
hope it helps :)

Re: Process Tracking Emails

Posted: 24 Sep 2015, 16:04
by IsraelPaya67
Fantastic. Thank you so much for your support!
Best regards.

Re: Process Tracking Emails

Posted: 16 Apr 2017, 15:51
by cglmicro
It's not working for me with the wildcard.
Here is my /etc/csf/csf.pignore file (only a few lines of it):

Code: Select all

cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-cron.php
cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-admin/admin-ajax.php
I did RESTART CSF+LFD when asked, and I still receive these emails:

Code: Select all

Time:    Sun Apr 16 10:44:00 2017 -0400
PID:     20892 (Parent PID:15283)
Account: fakeusername
Uptime:  167 seconds


Executable:

/opt/cpanel/ea-php56/root/usr/bin/php-cgi


Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/fakeusername/public_html/wp-admin/admin-ajax.php


Network connections by the process (if any):

tcp: 108.163.xxx.xxx:41141 -> 108.163.xxx.xxx:80
I also tried with a wildcard * instead of .* but same result. Any suggestion?

Re: Process Tracking Emails

Posted: 17 Apr 2017, 20:02
by Sergio
Add just the following line to csf.pignore:
exe:/usr/bin/php

That will work.

Re: Process Tracking Emails

Posted: 17 Apr 2017, 21:17
by cglmicro
I saw this answer in another thread, and it bring another question: This line won't ignore every alerts regarding PHP scripts, or just affect this single alert ?

Re: Process Tracking Emails

Posted: 18 Apr 2017, 02:06
by Sergio
@cglmicro,
That line helps php to run, chances are that another customers will trigger the same.

On the other hand, on the first post was:
Executable:
/usr/bin/php

But in your post you wrote:
Executable:
/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Both are completely different approaches.

So, for your particular case you should add the following line in csf.pignore:
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Sergio

Re: Process Tracking Emails

Posted: 21 Apr 2017, 20:50
by cglmicro
Thank you, I just added
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited