suspicious process alert but no process listed

[blondiegeek]

Hi all,

I've been getting numerous suspicious process alerts each day, listing /usr/bin/php as the suspicious process but no actual process beyond that. I'm not sure if this is a false positive or not - and even if it is I don't know how to block it because it doesn't seem wise to ignore everything under php.

Can anyone help interpret this? I've searched high and low in this and other forums and haven't been able to find a similar situation.

Here's an example email:

Time: Fri Feb 26 11:18:26 2016 +0000
PID: 29663 (Parent PID:29408)
Account: (username removed)
Uptime: 111 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):

tcp: 127.0.0.1:38213 -> 127.0.0.1:11211


Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
(deleted)/tmp/.ZendSem.Dek1Ac
(deleted)/tmp/ZCUDs5fJdf


Memory maps by the process (if any):

[uhl-hosting]

I have the same issue, I added on pignore exe:/usr/bin/php yet the issue persists.

[nimonogi]

I'm having the same issue... how can we deal with this?

[davert]

Just a bump to see if anyone found anything.

It does show if something is running from a deleted process.

It would be VERY nice if they showed what script was running the process. I have no idea where to look.

There does seem to be a way to tell LFD to stop checking for processes running from deleted temp files. However, if I knew what script was at fault, I could go to the source.

http://g33kinfo.com/info/archives/3933