Suspicious process running under user

popeye · Feb 22, 2014

Hi could someone please tell me what this means below, i have started getting 100s a day not sure why

PID: 6749 (Parent PID:1287)
Account: veg
Uptime: 229809 seconds

Executable:

/usr/bin/php

Command Line (often faked in exploits):

/usr/bin/php /home/veg/public_html/index.php

robb3369 · Feb 22, 2014

In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...

popeye · Feb 22, 2014

robb3369 said:
In a nutshell, you have a user account (veg) that has a process running for 229,809 seconds = 3830.2 min = 63.8 hours.

The script running is their index.php on their site.

I would go into the process manager in WHM and kill that process...

Thanks i have just killed, but wont it come back again if its a bad script ?

robb3369 · Feb 22, 2014

I would investigate WHY is was running... but just keep an eye on it.

popeye · Feb 22, 2014

robb3369 said:
I would investigate WHY is was running... but just keep an eye on it.

Not really sure how to investigate it, but will keep an eye on it

robb3369 · Feb 22, 2014

Well, ssh into the server and open the file and look at it... What software is the site running, like joomla, wordpress, or ???...

popeye · Feb 22, 2014

Its running Wordpress

robb3369 · Feb 22, 2014

Take a look into the wp-content/plugins directory and see what may of been added... this will only who what plugins were installed, not necessarily which ones are actually enabled.

Also, one the bottom of those emails there is sometime a section that lists the "Network connections by the process". This sometimes help determine what the issue is. We usually see this if the website is pulling RSS feeds or connecting to something else.

popeye · Feb 23, 2014

Hi i sent an email to this customer telling them they need to get there site looked at,

And also had this one below today for another customer, Its only this server i get them off all my others i never get any.

/usr/local/cpanel/3rdparty/perl/514/bin/perl

cPanelMichael · Feb 24, 2014

Hello

Please keep in mind this notification is from the third-party application you have installed (CSF/LFD) and is not an alert directly from cPanel. You can find several other posts asking about this particular alert. EX:

LFD - Suspicious Process

Thank you.

popeye · Feb 24, 2014

Thanks very much

Thread starter	Similar threads	Forum	Replies	Date
	lfd - Suspicious process running under user nobody	Security	5	Oct 27, 2022
	LFD - Suspicious process running under user postgres	Security	7	May 30, 2022
J	lfd on server.com: Suspicious process running under user username	Security	6	May 2, 2022
D	Suspicious process running under user *	Security	1	Nov 19, 2021
C	LFD Suspicious process running under user	Security	4	Nov 13, 2021

Search

Search

Suspicious process running under user

popeye

Well-Known Member

robb3369

Well-Known Member

popeye

Well-Known Member

robb3369

Well-Known Member

popeye

Well-Known Member

robb3369

Well-Known Member

popeye

Well-Known Member

robb3369

Well-Known Member

popeye

Well-Known Member

cPanelMichael

Administrator

popeye

Well-Known Member