SOLVED Hacking attemps using UID 1001

jeffschips

Well-Known Member
Jun 5, 2016
248
30
78
new york
cPanel Access Level
Root Administrator
Can someone unpack for me the meaning of the following:

Notice from CSF:
lfd on local.domain.com: Excessive processes running under user localhost

User:xxxxxxxx PID:28242 PPID:28000 Run Time:0(secs) Memory:250800(kb) RSS:22720(kb) exe:/opt/cpanel/ea-php73/root/usr/bin/php-cgi cmd:/opt/cpanel/ea-php73/root/usr/bin/php-cgi /home/xxxxxx/public_html/xxxxxxx.com/administrator/index.php

and in apache logs many entries:

[info] Executing "/home/xxxxxxxxxx/public_html/xxxxxxx.com/administrator/index.php" as UID 1001, GID 1003
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,881
1,539
313
cPanel Access Level
Root Administrator
Hey there! It's definitely not a hacking attempt, but just CSF letting you know that it thinks that user has too many processes running. We have additional details on how you can configure this option here:


Now, where it could get interesting is if the cPanel username you've xxxxxxx'd out is NOT user 1001 or 1003. Is that the case?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
9,881
1,539
313
cPanel Access Level
Root Administrator
Nope - that sounds normal to me. CSF is just touchy sometimes and thinks you shouldn't be using as many resources as you are. If the site is working well and not causing problems, you likely can just adjust the CSF notification and you'll be all set.
 

jeffschips

Well-Known Member
Jun 5, 2016
248
30
78
new york
cPanel Access Level
Root Administrator
Pretty sure it was a bot as the link is to an admin login credential page for an application running on the server with repeated hits. Thanks for your help and stay safe and healthy.
 
  • Like
Reactions: cPRex