Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious process running under <user id>

Discussion in 'Security' started by Zabidin, Mar 11, 2016.

  1. Zabidin

    Zabidin Well-Known Member

    Jan 6, 2016
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator

    Most of our client using wordpress for their website. So we have receive notification as per belows:

    Network connections by the process (if any):
    tcp: ->
    Files open by the process (if any):
    Memory maps by the process (if any):
    00400000-00d0d000 r-xp 00000000 ca:01 17827637 /usr/bin/php
    00f0c000-00fd1000 rw-p 0090c000 ca:01 17827637 /usr/bin/php
    00fd1000-00ff4000 rw-p 00000000 00:00 0
    02752000-02d4d000 rw-p 00000000 00:00 0 [heap]
    7fd13f461000-7fd13f565000 rw-p 00000000 00:00 0
    7fd13f571000-7fd13f940000 rw-p 00000000 00:00 0
    7fd13f950000-7fd13ffa9000 rw-p 00000000 00:00 0
    7fd13ffda000-7fd140348000 rw-p 00000000 00:00 0
    7fd14034b000-7fd140616000 rw-p 00000000 00:00 0
    7fd14063c000-7fd1406fd000 r--s 00000000 ca:01 11454221 /var/db/nscd/hosts
    7fd1406fd000-7fd140703000 r-xp 00000000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140703000-7fd140903000 ---p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140903000-7fd140904000 rw-p 00006000 ca:01 18481195 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140904000-7fd1409bc000 r-xp 00000000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd1409bc000-7fd140bbb000 ---p 000b8000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140bbb000-7fd140bc0000 rw-p 000b7000 ca:01 18481200 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140bc0000-7fd140bd6000 r-xp 00000000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140bd6000-7fd140dd6000 ---p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140dd6000-7fd140dd9000 rw-p 00016000 ca:01 18481193 /usr/local/lib/php/extensions/no-debug-non-zts-20100525/
    7fd140dd9000-7fd140ee9000 r-xp 00000000 ca:01 18612460 /usr/local/IonCube/
    7fd140ee9000-7fd140fe8000 ---p 00110000 ca:01 18612460 /usr/local/IonCube/
    7fd140fe8000-7fd140ff8000 rw-p 0010f000 ca:01 18612460 /usr/local/IonCube/
    7fd140ff8000-7fd140ffb000 rw-p 00000000 00:00 0 
    When we check it's point to hostname We have so many client that receive like this. Is there anyway to adding it on lfd with bulk? Please advice.

  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    To clarify, are you attempting to block connections from your server to the WordPress servers? Would this prevent your customers from updating their WordPress installations?

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice