Suspicious process running under user

popeye

Well-Known Member
May 23, 2013
368
2
18
Texas
cPanel Access Level
Root Administrator
Hi could someone please tell me what this means below, i have started getting 100s a day not sure why

PID: 6749 (Parent PID:1287)
Account: veg
Uptime: 229809 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/veg/public_html/index.php
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...
 

popeye

Well-Known Member
May 23, 2013
368
2
18
Texas
cPanel Access Level
Root Administrator
In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...


Thanks i have just killed, but wont it come back again if its a bad script ?
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
Well, ssh into the server and open the file and look at it... What software is the site running, like joomla, wordpress, or ???...
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
Take a look into the wp-content/plugins directory and see what may of been added... this will only who what plugins were installed, not necessarily which ones are actually enabled.

Also, one the bottom of those emails there is sometime a section that lists the "Network connections by the process". This sometimes help determine what the issue is. We usually see this if the website is pulling RSS feeds or connecting to something else.
 

popeye

Well-Known Member
May 23, 2013
368
2
18
Texas
cPanel Access Level
Root Administrator
Hi i sent an email to this customer telling them they need to get there site looked at,

And also had this one below today for another customer, Its only this server i get them off all my others i never get any.

/usr/local/cpanel/3rdparty/perl/514/bin/perl
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello :)

Please keep in mind this notification is from the third-party application you have installed (CSF/LFD) and is not an alert directly from cPanel. You can find several other posts asking about this particular alert. EX:

LFD - Suspicious Process

Thank you.