lfd suspicious process /usr/bin/php

jyt123

Member
Nov 29, 2015
9
3
3
Canada
cPanel Access Level
Root Administrator
today I've got about 500 message from CSF with this warning, my question does the 60986 is actually a port, and if so how can I block all the none essential port to open connection, I have a regular server used for commercial web-email-ftp etc, so I don't need to many port, right? right now I edited the csf.pignore list so I don't have that message any longer.

server is CENTOS 6.8 WHM 58.0.20
Code:
tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80

Time:    Sat Aug 27 06:16:29 2016 -0400
PID:     32079 (Parent PID:31768)
Account: rexxxx
Uptime:  110 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/rexxxx/public_html/xmlrpc.php


Network connections by the process (if any):

tcp: xxx.xxx.xxx.xxx:60986 -> 104.25.xxx.xx:80


Files open by the process (if any):
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
xmlrpc.php is a file often used by WordPress sites to handle remote procedure calls using XML to encode its calls.

You can find more information here and here.