Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious process running under <user id>

Discussion in 'Security' started by Zabidin, Mar 11, 2016.

  1. Zabidin

    Zabidin Well-Known Member

    Joined:
    Jan 6, 2016
    Messages:
    48
    Likes Received:
    4
    Trophy Points:
    8
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    Hi,

    Most of our client using wordpress for their website. So we have receive notification as per belows:

    Code:
    Network connections by the process (if any):
    
    tcp: 42.10.xxx.xxx:55395 -> 66.155.40.186:443
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00400000-00d0d000 r-xp 00000000 ca:01 17827637 /usr/bin/php
    00f0c000-00fd1000 rw-p 0090c000 ca:01 17827637 /usr/bin/php
    00fd1000-00ff4000 rw-p 00000000 00:00 0
    02752000-02d4d000 rw-p 00000000 00:00 0 [heap]
    7fd13f461000-7fd13f565000 rw-p 00000000 00:00 0
    7fd13f571000-7fd13f940000 rw-p 00000000 00:00 0
    7fd13f950000-7fd13ffa9000 rw-p 00000000 00:00 0
    7fd13ffda000-7fd140348000 rw-p 00000000 00:00 0
    7fd14034b000-7fd140616000 rw-p 00000000 00:00 0
    7fd14063c000-7fd1406fd000 r--s 00000000 ca:01 11454221 /var/db/nscd/hosts
    7fd1406fd000-7fd140703000 r-xp 00000000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140703000-7fd140903000 ---p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140903000-7fd140904000 rw-p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140904000-7fd1409bc000 r-xp 00000000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd1409bc000-7fd140bbb000 ---p 000b8000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd140bbb000-7fd140bc0000 rw-p 000b7000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd140bc0000-7fd140bd6000 r-xp 00000000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140bd6000-7fd140dd6000 ---p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140dd6000-7fd140dd9000 rw-p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140dd9000-7fd140ee9000 r-xp 00000000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140ee9000-7fd140fe8000 ---p 00110000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140fe8000-7fd140ff8000 rw-p 0010f000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140ff8000-7fd140ffb000 rw-p 00000000 00:00 0 
    When we check it's point to hostname wordpress.org. We have so many client that receive like this. Is there anyway to adding it on lfd with bulk? Please advice.

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,809
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    To clarify, are you attempting to block connections from your server to the WordPress servers? Would this prevent your customers from updating their WordPress installations?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice