suspicious process alert but no process listed
Posted: 26 Feb 2016, 11:32
Hi all,
I've been getting numerous suspicious process alerts each day, listing /usr/bin/php as the suspicious process but no actual process beyond that. I'm not sure if this is a false positive or not - and even if it is I don't know how to block it because it doesn't seem wise to ignore everything under php.
Can anyone help interpret this? I've searched high and low in this and other forums and haven't been able to find a similar situation.
Here's an example email:
Time: Fri Feb 26 11:18:26 2016 +0000
PID: 29663 (Parent PID:29408)
Account: (username removed)
Uptime: 111 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php
Network connections by the process (if any):
tcp: 127.0.0.1:38213 -> 127.0.0.1:11211
Files open by the process (if any):
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
(deleted)/tmp/.ZendSem.Dek1Ac
(deleted)/tmp/ZCUDs5fJdf
Memory maps by the process (if any):
I've been getting numerous suspicious process alerts each day, listing /usr/bin/php as the suspicious process but no actual process beyond that. I'm not sure if this is a false positive or not - and even if it is I don't know how to block it because it doesn't seem wise to ignore everything under php.
Can anyone help interpret this? I've searched high and low in this and other forums and haven't been able to find a similar situation.
Here's an example email:
Time: Fri Feb 26 11:18:26 2016 +0000
PID: 29663 (Parent PID:29408)
Account: (username removed)
Uptime: 111 seconds
Executable:
/usr/bin/php
Command Line (often faked in exploits):
/usr/bin/php
Network connections by the process (if any):
tcp: 127.0.0.1:38213 -> 127.0.0.1:11211
Files open by the process (if any):
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
(deleted)/tmp/.ZendSem.Dek1Ac
(deleted)/tmp/ZCUDs5fJdf
Memory maps by the process (if any):