Hello guys,
We get alerts from CSF/LFD many times a day about a command running from one of our clients websites. The email reads (changed a little so url isnt correct):
lfd on server1.hostname.com: Suspicious process running under user lloydmorgan
Executable: /usr/bin/wget
Command Line (often faked in exploits):
wget --quiet --delete-after --no-check-certificate https://domain.co.uk/index.php?route=information/feedportwest
I have setup in the csf.pignore a few different commands and all dont work including:
pcmd:/usr/bin/wget --quiet --delete-after --no-check-certificate https:\/\/domain\.co\.uk\/*
pcmd:wget --quiet --delete-after --no-check-certificate https:\/\/domain\.co\.uk\/*
pcmd:wget --quiet --delete-after --no-check-certificate https://domain.co.uk/*
What am i doing wrong, how can i ignore this process correctly by wildcard the wget domain? Is it possible?
We get alerts from CSF/LFD many times a day about a command running from one of our clients websites. The email reads (changed a little so url isnt correct):
lfd on server1.hostname.com: Suspicious process running under user lloydmorgan
Executable: /usr/bin/wget
Command Line (often faked in exploits):
wget --quiet --delete-after --no-check-certificate https://domain.co.uk/index.php?route=information/feedportwest
I have setup in the csf.pignore a few different commands and all dont work including:
pcmd:/usr/bin/wget --quiet --delete-after --no-check-certificate https:\/\/domain\.co\.uk\/*
pcmd:wget --quiet --delete-after --no-check-certificate https:\/\/domain\.co\.uk\/*
pcmd:wget --quiet --delete-after --no-check-certificate https://domain.co.uk/*
What am i doing wrong, how can i ignore this process correctly by wildcard the wget domain? Is it possible?
Last edited by a moderator:
