Suspicious process running under user

popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
Hi could someone please tell me what this means below, i have started getting 100s a day not sure why

PID: 6749 (Parent PID:1287)
Account: veg
Uptime: 229809 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php /home/veg/public_html/index.php
 

robb3369

Well-Known Member
Mar 1, 2008
122
0
66
cPanel Access Level
Root Administrator
In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...
 

popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...


Thanks i have just killed, but wont it come back again if its a bad script ?
 

robb3369

Well-Known Member
Mar 1, 2008
122
0
66
cPanel Access Level
Root Administrator
Well, ssh into the server and open the file and look at it... What software is the site running, like joomla, wordpress, or ???...
 

robb3369

Well-Known Member
Mar 1, 2008
122
0
66
cPanel Access Level
Root Administrator
Take a look into the wp-content/plugins directory and see what may of been added... this will only who what plugins were installed, not necessarily which ones are actually enabled.

Also, one the bottom of those emails there is sometime a section that lists the "Network connections by the process". This sometimes help determine what the issue is. We usually see this if the website is pulling RSS feeds or connecting to something else.
 

popeye

Well-Known Member
May 23, 2013
364
2
18
Texas
cPanel Access Level
Root Administrator
Hi i sent an email to this customer telling them they need to get there site looked at,

And also had this one below today for another customer, Its only this server i get them off all my others i never get any.

/usr/local/cpanel/3rdparty/perl/514/bin/perl