The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under <user id>

Discussion in 'Security' started by Zabidin, Mar 11, 2016.

  1. Zabidin

    Zabidin Active Member

    Joined:
    Jan 6, 2016
    Messages:
    28
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    Malaysia
    cPanel Access Level:
    Root Administrator
    Hi,

    Most of our client using wordpress for their website. So we have receive notification as per belows:

    Code:
    Network connections by the process (if any):
    
    tcp: 42.10.xxx.xxx:55395 -> 66.155.40.186:443
    
    
    Files open by the process (if any):
    
    
    
    Memory maps by the process (if any):
    
    00400000-00d0d000 r-xp 00000000 ca:01 17827637 /usr/bin/php
    00f0c000-00fd1000 rw-p 0090c000 ca:01 17827637 /usr/bin/php
    00fd1000-00ff4000 rw-p 00000000 00:00 0
    02752000-02d4d000 rw-p 00000000 00:00 0 [heap]
    7fd13f461000-7fd13f565000 rw-p 00000000 00:00 0
    7fd13f571000-7fd13f940000 rw-p 00000000 00:00 0
    7fd13f950000-7fd13ffa9000 rw-p 00000000 00:00 0
    7fd13ffda000-7fd140348000 rw-p 00000000 00:00 0
    7fd14034b000-7fd140616000 rw-p 00000000 00:00 0
    7fd14063c000-7fd1406fd000 r--s 00000000 ca:01 11454221 /var/db/nscd/hosts
    7fd1406fd000-7fd140703000 r-xp 00000000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140703000-7fd140903000 ---p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140903000-7fd140904000 rw-p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_mysql.so
    7fd140904000-7fd1409bc000 r-xp 00000000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd1409bc000-7fd140bbb000 ---p 000b8000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd140bbb000-7fd140bc0000 rw-p 000b7000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo_sqlite.so
    7fd140bc0000-7fd140bd6000 r-xp 00000000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140bd6000-7fd140dd6000 ---p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140dd6000-7fd140dd9000 rw-p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/pdo.so
    7fd140dd9000-7fd140ee9000 r-xp 00000000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140ee9000-7fd140fe8000 ---p 00110000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140fe8000-7fd140ff8000 rw-p 0010f000 ca:01 18612460 /usr/local/IonCube/ioncube_loader_lin_5.4.so
    7fd140ff8000-7fd140ffb000 rw-p 00000000 00:00 0 
    When we check it's point to hostname wordpress.org. We have so many client that receive like this. Is there anyway to adding it on lfd with bulk? Please advice.

    Thanks.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    To clarify, are you attempting to block connections from your server to the WordPress servers? Would this prevent your customers from updating their WordPress installations?

    Thank you.
     
Loading...

Share This Page