php-fpm Suspicious process running under user

athanasiusrc

Registered
Jul 1, 2019
3
0
1
CO
cPanel Access Level
Root Administrator
I've seen other threads mention this notice and how to disable it. My question is, how do I know this is something I can disregard and that it isn't a security problem? We weren't getting this error until last night and now we're getting it almost every minute.
Code:
Time:    Mon Jul  1 10:19:16 2019 -0600

PID:     15384 (Parent PID:27713)

Account: -------

Uptime:  122 seconds



Executable:


/opt/cpanel/ea-php72/root/usr/sbin/php-fpm



Command Line (often faked in exploits):


php-fpm: pool ---------_com



Network connections by the process (if any):


tcp: Removed:36104 -> Removed:443



Files open by the process (if any):


/dev/null

/tmp/.ZendSem.t8mCpN (deleted)

/dev/urandom
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
My question is, how do I know this is something I can disregard and that it isn't a security problem?
Hello @athanasiusrc,

A background in System Administration (specific to Security) is generally recommended to investigate and assess notifications like this. While you could point to the name of the files seen in the output and conclude it's a false positive based on similar reports, you must also consider that exploits are sometimes designed from the standpoint of "make the detection of this exploit resemble what's often seen in false positives".

Specific to this topic, the discussion on the following thread should help:

SOLVED - Entry in Mod Security Log question

Additionally, while CSF can help, you may want to consider using an application such as Immunify360 (or the free ImmunifyAV version):

Imunify360 - home

Thank you.
 

garconcn

Well-Known Member
Oct 29, 2009
147
7
68
Looks like your PHP script was connecting to a remote IP on port 443, you may use whois to find the provider of the remote IP. eg: if you have wordpress updraft plugin, it will make a backup on your server and send the backup to remote IP. In this case, it's legitimate.

tcp: Removed:36104 -> Removed:443
 

garconcn

Well-Known Member
Oct 29, 2009
147
7
68
Modify /etc/csf/csf.pignore and add

Code:
pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
or ignore user

Code:
user:username
Then restart csf

Code:
csf -ra
Doing this you might miss real suspicious process. So, it's better just ignore the warning