The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user

Discussion in 'General Discussion' started by popeye, Feb 22, 2014.

  1. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi could someone please tell me what this means below, i have started getting 100s a day not sure why

    PID: 6749 (Parent PID:1287)
    Account: veg
    Uptime: 229809 seconds


    Executable:

    /usr/bin/php


    Command Line (often faked in exploits):

    /usr/bin/php /home/veg/public_html/index.php
     
  2. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

    The script running is their index.php on their site.

    I would go into the process manager in WHM and kill that process...
     
  3. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator


    Thanks i have just killed, but wont it come back again if its a bad script ?
     
  4. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I would investigate WHY is was running... but just keep an eye on it.
     
  5. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Not really sure how to investigate it, but will keep an eye on it
     
  6. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Well, ssh into the server and open the file and look at it... What software is the site running, like joomla, wordpress, or ???...
     
  7. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Its running Wordpress
     
  8. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Take a look into the wp-content/plugins directory and see what may of been added... this will only who what plugins were installed, not necessarily which ones are actually enabled.

    Also, one the bottom of those emails there is sometime a section that lists the "Network connections by the process". This sometimes help determine what the issue is. We usually see this if the website is pulling RSS feeds or connecting to something else.
     
  9. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi i sent an email to this customer telling them they need to get there site looked at,

    And also had this one below today for another customer, Its only this server i get them off all my others i never get any.

    /usr/local/cpanel/3rdparty/perl/514/bin/perl
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please keep in mind this notification is from the third-party application you have installed (CSF/LFD) and is not an alert directly from cPanel. You can find several other posts asking about this particular alert. EX:

    LFD - Suspicious Process

    Thank you.
     
  11. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Thanks very much
     
Loading...

Share This Page