Cant get lsphp command whitelisting in /etc/csf/csf.pignore to work

[MrIver]

Hi Guys,

We are getting alot of these errors:

Executable:
/opt/cpanel/ea-php72/root/usr/bin/lsphp.cagefs

Command Line (often faked in exploits):

lsphp:/home/[user]/public_html/wp-cron.php

They are very much a false-positive, since wp-cron.php i normal script in all WP installations.

So how do we whitelist this cmd?

I have tried adding this in /etc/csf/csf.pignore:

pcmd:lsphp:/home/*/public_html/wp-cron.php
pcmd:lsphp:/home/*/public_html/*/wp-cron.php
pcmd:lsphp:/home/*/*/wp-cron.php

We have also tried:

pcmd:/usr/bin/php /home/*/public_html/wp-cron.php
pcmd:/usr/bin/php /home/*/public_html/*/wp-cron.php
pcmd:/usr/bin/php /home/*/*/wp-cron.php

But it does not seem to have an effect.

Any ideas?

 

[fuzzylogic]

I don't do this but would try...

pcmd:lsphp:/home/.*/public_html/wp-cron\.php

and

pcmd:lsphp:/home/.*/public_html/.*/wp-cron\.php

Also note that Chirpy warns...

# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.

 

[cPanelLauren]

This is also discussed on their forums here: Process Tracking and csf.pignore - ConfigServer Community Forum and it's also discussed in Section 8 of their readme here: Process Tracking and csf.pignore - ConfigServer Community Forum

 

[MrIver]

Thanks guys - looks like the code from fuzzylogic works

 

[LitespeedLucas]

Ideally you'd want to add the pignore for the lsphp binaries instead of specific scripts:

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*

 

[MrIver]

Ideally you'd want to add the pignore for the lsphp binaries instead of specific scripts:

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.*

But would this not whitelist all processes? Then we would not get any alerts for processes that might acutually be suspicious?

 

[cPanelLauren]

That would whitelist all lsphp processes it would not whitelist all processes