php-fpm Suspicious process running under user

A

athanasiusrc

Registered
Jul 1, 2019
3
0
1
CO
cPanel Access Level
Root Administrator
I've seen other threads mention this notice and how to disable it. My question is, how do I know this is something I can disregard and that it isn't a security problem? We weren't getting this error until last night and now we're getting it almost every minute.
Code: 
Time:    Mon Jul  1 10:19:16 2019 -0600

PID:     15384 (Parent PID:27713)

Account: -------

Uptime:  122 seconds



Executable:


/opt/cpanel/ea-php72/root/usr/sbin/php-fpm



Command Line (often faked in exploits):


php-fpm: pool ---------_com



Network connections by the process (if any):


tcp: Removed:36104 -> Removed:443



Files open by the process (if any):


/dev/null

/tmp/.ZendSem.t8mCpN (deleted)

/dev/urandom
 
Last edited by a moderator:
cPanelMichael

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,205
363
cPanel Access Level
DataCenter Provider
Twitter
athanasiusrc said:
My question is, how do I know this is something I can disregard and that it isn't a security problem?
Click to expand...
Hello @athanasiusrc,

A background in System Administration (specific to Security) is generally recommended to investigate and assess notifications like this. While you could point to the name of the files seen in the output and conclude it's a false positive based on similar reports, you must also consider that exploits are sometimes designed from the standpoint of "make the detection of this exploit resemble what's often seen in false positives".

Specific to this topic, the discussion on the following thread should help:

SOLVED - Entry in Mod Security Log question

Additionally, while CSF can help, you may want to consider using an application such as Immunify360 (or the free ImmunifyAV version):

Imunify360 - home

Thank you.
 
G

garconcn

Well-Known Member
Oct 29, 2009
147
7
68
Looks like your PHP script was connecting to a remote IP on port 443, you may use whois to find the provider of the remote IP. eg: if you have wordpress updraft plugin, it will make a backup on your server and send the backup to remote IP. In this case, it's legitimate.

tcp: Removed:36104 -> Removed:443
Click to expand...
 
G

garconcn

Well-Known Member
Oct 29, 2009
147
7
68
Modify /etc/csf/csf.pignore and add

Code: 
pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
or ignore user

Code: 
user:username
Then restart csf

Code: 
csf -ra
Doing this you might miss real suspicious process. So, it's better just ignore the warning
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
T child exit/start entries in PHP-FPM logs General Discussion 5
A SOLVED Apache crashing when using PHP-FPM EasyApache 4
W PHP-FPM Log File Default Timezone EasyApache 5
R Timeout errors with php-fpm php script EasyApache 1
I open connection by php-fpm to suspicious IP - lfd Security 2
Similar threads
child exit/start entries in PHP-FPM logs
SOLVED Apache crashing when using PHP-FPM
PHP-FPM Log File Default Timezone
Timeout errors with php-fpm php script
open connection by php-fpm to suspicious IP - lfd
Top Bottom