lfd suspicious process /usr/bin/php

J

jyt123

Member
Nov 29, 2015
9
3
3
Canada
cPanel Access Level
Root Administrator
today I've got about 500 message from CSF with this warning, my question does the 60986 is actually a port, and if so how can I block all the none essential port to open connection, I have a regular server used for commercial web-email-ftp etc, so I don't need to many port, right? right now I edited the csf.pignore list so I don't have that message any longer.

server is CENTOS 6.8 WHM 58.0.20
Code: 
tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80

Time:    Sat Aug 27 06:16:29 2016 -0400
PID:     32079 (Parent PID:31768)
Account: rexxxx
Uptime:  110 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/rexxxx/public_html/xmlrpc.php


Network connections by the process (if any):

tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80


Files open by the process (if any):
 
Last edited by a moderator:
rpvw

rpvw

Well-Known Member
Jul 18, 2013
1,100
472
113
UK
cPanel Access Level
Root Administrator
xmlrpc.php is a file often used by WordPress sites to handle remote procedure calls using XML to encode its calls.

You can find more information here and here.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
Otávio Serra lfd - Suspicious process running under user nobody Security 5
eventtex LFD - Suspicious process running under user postgres Security 7
J lfd on server.com: Suspicious process running under user username Security 6
C LFD Suspicious process running under user Security 4
inteldigital LFD LiteSpeed notification: Suspicious process running under user nobody Security 3
Similar threads
lfd - Suspicious process running under user nobody
LFD - Suspicious process running under user postgres
lfd on server.com: Suspicious process running under user username
LFD Suspicious process running under user
LFD LiteSpeed notification: Suspicious process running under user nobody
Top Bottom