Cant get lsphp command whitelisting in /etc/csf/csf.pignore to work

MrIver

Active Member
PartnerNOC
Feb 24, 2020
39
7
8
Denmark
cPanel Access Level
Root Administrator
Hi Guys,

We are getting alot of these errors:

Executable:
/opt/cpanel/ea-php72/root/usr/bin/lsphp.cagefs

Command Line (often faked in exploits):

lsphp:/home/[user]/public_html/wp-cron.php


They are very much a false-positive, since wp-cron.php i normal script in all WP installations.

So how do we whitelist this cmd?

I have tried adding this in /etc/csf/csf.pignore:

Code:
pcmd:lsphp:/home/*/public_html/wp-cron.php
pcmd:lsphp:/home/*/public_html/*/wp-cron.php
pcmd:lsphp:/home/*/*/wp-cron.php
We have also tried:

Code:
pcmd:/usr/bin/php /home/*/public_html/wp-cron.php
pcmd:/usr/bin/php /home/*/public_html/*/wp-cron.php
pcmd:/usr/bin/php /home/*/*/wp-cron.php
But it does not seem to have an effect.

Any ideas?
 

fuzzylogic

Well-Known Member
Nov 8, 2014
153
93
78
cPanel Access Level
Root Administrator
I don't do this but would try...
Code:
pcmd:lsphp:/home/.*/public_html/wp-cron\.php
and
Code:
pcmd:lsphp:/home/.*/public_html/.*/wp-cron\.php
Also note that Chirpy warns...
# It is strongly recommended that you use command line ignores very carefully
# as any process can change what is reported to the OS.
 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston