php-fpm Suspicious process running under user

A

athanasiusrc

Registered
Jul 1, 2019
3
0
1
CO
cPanel Access Level
Root Administrator
I've seen other threads mention this notice and how to disable it. My question is, how do I know this is something I can disregard and that it isn't a security problem? We weren't getting this error until last night and now we're getting it almost every minute.
Code: 
Time:    Mon Jul  1 10:19:16 2019 -0600

PID:     15384 (Parent PID:27713)

Account: -------

Uptime:  122 seconds



Executable:


/opt/cpanel/ea-php72/root/usr/sbin/php-fpm



Command Line (often faked in exploits):


php-fpm: pool ---------_com



Network connections by the process (if any):


tcp: Removed:36104 -> Removed:443



Files open by the process (if any):


/dev/null

/tmp/.ZendSem.t8mCpN (deleted)

/dev/urandom
 
Last edited by a moderator:
C

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
athanasiusrc said:
My question is, how do I know this is something I can disregard and that it isn't a security problem?
Click to expand...
Hello @athanasiusrc,

A background in System Administration (specific to Security) is generally recommended to investigate and assess notifications like this. While you could point to the name of the files seen in the output and conclude it's a false positive based on similar reports, you must also consider that exploits are sometimes designed from the standpoint of "make the detection of this exploit resemble what's often seen in false positives".

Specific to this topic, the discussion on the following thread should help:

SOLVED - Entry in Mod Security Log question

Additionally, while CSF can help, you may want to consider using an application such as Immunify360 (or the free ImmunifyAV version):

Imunify360 - home

Thank you.
 
G

garconcn

Well-Known Member
Oct 29, 2009
157
12
68
Looks like your PHP script was connecting to a remote IP on port 443, you may use whois to find the provider of the remote IP. eg: if you have wordpress updraft plugin, it will make a backup on your server and send the backup to remote IP. In this case, it's legitimate.

tcp: Removed:36104 -> Removed:443
Click to expand...
 
G

garconcn

Well-Known Member
Oct 29, 2009
157
12
68
Modify /etc/csf/csf.pignore and add

Code: 
pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
or ignore user

Code: 
user:username
Then restart csf

Code: 
csf -ra
Doing this you might miss real suspicious process. So, it's better just ignore the warning
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M SOLVED mod_userdir needs to be disabled if running PHP-FPM? Security 2
S Running PHP-FPM as a different user Security 6
I open connection by php-fpm to suspicious IP - lfd Security 2
U php-fpm allows phpsysinfo? Security 8
M Disable functions for a particular user in a PHP-FPM pool Security 6
Similar threads
SOLVED mod_userdir needs to be disabled if running PHP-FPM?
Running PHP-FPM as a different user
open connection by php-fpm to suspicious IP - lfd
php-fpm allows phpsysinfo?
Disable functions for a particular user in a PHP-FPM pool
Top Bottom