The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

lfd suspicious process /usr/bin/php

Discussion in 'General Discussion' started by jyt123, Aug 27, 2016.

Tags:
  1. jyt123

    jyt123 Registered

    Joined:
    Nov 29, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    today I've got about 500 message from CSF with this warning, my question does the 60986 is actually a port, and if so how can I block all the none essential port to open connection, I have a regular server used for commercial web-email-ftp etc, so I don't need to many port, right? right now I edited the csf.pignore list so I don't have that message any longer.

    server is CENTOS 6.8 WHM 58.0.20
    Code:
    
    tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80
    
    Time:    Sat Aug 27 06:16:29 2016 -0400
    PID:     32079 (Parent PID:31768)
    Account: rexxxx
    Uptime:  110 seconds
    
    
    Executable:
    
    /usr/bin/php
    
    
    Command Line (often faked in exploits):
    
    /usr/bin/php /home/rexxxx/public_html/xmlrpc.php
    
    
    Network connections by the process (if any):
    
    tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80
    
    
    Files open by the process (if any):
    
    
     
    #1 jyt123, Aug 27, 2016
    Last edited by a moderator: Aug 27, 2016
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    123
    Likes Received:
    36
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    xmlrpc.php is a file often used by WordPress sites to handle remote procedure calls using XML to encode its calls.

    You can find more information here and here.
     
Loading...

Share This Page