lfd[15589]: *System Exploit* has detected a possible root compromise (admin = UID 0)

[ramindia]

Hi

we have recently installed plugin ConfigServer Security & Firewall - csf v5.19

i get log like this any suggestion ( due to security reason USER and Domain name changed)


Apr 13 11:39:26 lfd[13641]: *User Processing* PID:31247 Kill:0 User:USER Time:12681 EXE:/usr/local/cpanel/bin/cpuwatch CMD:/usr/local/cpanel/bin/logrunner 4.0 /usr/local/cpanel/3rdparty/bin/english/webalizer -N 10 -D /home/USER/tmp/webalizer/dns_cache.db -R 250 -p -n domain.com -o /home/USER/tmp/webalizer /usr/local/apache/domlogs/domain.com.bkup
Apr 13 11:39:26 lfd[13641]: *User Processing* PID:31245 Kill:0 User:USER Time:12681 EXE:/usr/bin/perl CMD:cpanellogd - http logs for USER
Apr 13 11:43:20 lfd[14011]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 11:48:24 lfd[14269]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 11:53:36 lfd[14558]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 11:58:30 lfd[14884]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:01:13 lfd[15223]: *Suspicious Process* PID:14972 User:USER Uptime:72 secs EXE:/usr/bin/php CMDhp /home/USER/public_html/webmaster/wm_auto.php
Apr 13 12:03:35 lfd[15309]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:08:35 lfd[15589]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:13:25 lfd[15916]: *LOAD* 5 minute load average is 7.78, threshold is 6 - email sent
Apr 13 12:13:35 lfd[15932]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:18:35 lfd[16213]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:23:39 lfd[16509]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:28:44 lfd[16878]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:33:47 lfd[17232]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:38:47 lfd[17547]: *System Exploit* has detected a possible root compromise (admin = UID 0)
Apr 13 12:39:32 lfd[17554]: *User Processing* PID:31247 Kill:0 User:USER Time:16287 EXE:/usr/local/cpanel/bin/cpuwatch CMD:/usr/local/cpanel/bin/logrunner 4.0 /usr/local/cpanel/3rdparty/bin/english/webalizer -N 10 -D /home/USER/tmp/webalizer/dns_cache.db -R 250 -p -n adomain.com -o /home/USER/tmp/webalizer /usr/local/apache/domlogs/domain.com.bkup
Apr 13 12:39:32 lfd[17554]: *User Processing* PID:31245 Kill:0 User:USER Time:16287 EXE:/usr/bin/perl CMD:cpanellogd - http logs for USER
Apr 13 12:43:49 lfd[17856]: *System Exploit* has detected a possible root compromise (admin = UID 0)

[cPanelTristan]

Please post on CSF forum if you need assistance with their alerts:

ConfigServer Scripts Forum • View forum - General Discussion (csf)

We would have no way to know what they are using as criteria for a possible root compromise.

[driverC]

If you get this at the moment you are logged in you could enter the command "top" in order to find out what these processes that the warning message is referring to are.