SOLVED Hacking attemps using UID 1001

[jeffschips]

Can someone unpack for me the meaning of the following:

Notice from CSF:
lfd on local.domain.com: Excessive processes running under user localhost

User:xxxxxxxx PID:28242 PPID:28000 Run Time:0(secs) Memory:250800(kb) RSS:22720(kb) exe:/opt/cpanel/ea-php73/root/usr/bin/php-cgi cmd:/opt/cpanel/ea-php73/root/usr/bin/php-cgi /home/xxxxxx/public_html/xxxxxxx.com/administrator/index.php

and in apache logs many entries:

[info] Executing "/home/xxxxxxxxxx/public_html/xxxxxxx.com/administrator/index.php" as UID 1001, GID 1003

 

[cPRex]

Hey there! It's definitely not a hacking attempt, but just CSF letting you know that it thinks that user has too many processes running. We have additional details on how you can configure this option here:

Tutorial - CSF/LFD - Excessive Resource Usage - Process Time

Excessive Resource Usage - Process Time (PT_USERTIME) These are the notifications we see support requests for most commonly. These are emails sent to the administrator of the server due to excessive process time. While this can be a legitimate...

forums.cpanel.net

Now, where it could get interesting is if the cPanel username you've xxxxxxx'd out is NOT user 1001 or 1003. Is that the case?

 

[jeffschips]

Hello @cPRex and thanks for the information.

the xxxxxxx'd out is user 1001/1003 but so is my vpn user through which I connect to my server, so wondering if that's an issue.

 

[cPRex]

Nope - that sounds normal to me. CSF is just touchy sometimes and thinks you shouldn't be using as many resources as you are. If the site is working well and not causing problems, you likely can just adjust the CSF notification and you'll be all set.

 

[jeffschips]

Pretty sure it was a bot as the link is to an admin login credential page for an application running on the server with repeated hits. Thanks for your help and stay safe and healthy.

 

[cPRex]

You as well!