Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Suspicious process running under user

Discussion in 'Security' started by Alain Bensimon, Apr 23, 2017.

  1. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Hello,
    I have a server with centos 7.4
    My firewall gives me these messages below.
    I run maldet, erase all the threats, and a few days later, it comes back.
    I dont know ho to prevent these threats.
    thank you
    --------------------------------------------------------


    Suspicious process running under user...(always diffetent users)
    Executable:

    /opt/cpanel/ea-php56/root/usr/bin/php-cgi

    Command Line (often faked in exploits):

    /opt/cpanel/ea-php56/root/usr/bin/php-cgi

    Network connections by the process (if any):

    tcp: 192.99.39.58:60352 -> 69.30.221.50:80

    Files open by the process (if any):

    /var/cpanel/locale/en.cdb
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    569
    Likes Received:
    40
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    The path is valid. It's not Suspicious process so you have to add this path in firewall ignore list.
    Please check the same post
    Suspicious process running under
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  4. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Even if the path is valid, I dont think its legit. I dont understand why accounts would start to launch a bunch of requests.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Were you able to review my previous response regarding this issue (it's after the initial response you received from another user)?

    Thank you.
     
  6. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    I did but weirdly the users wich are making these connections are not using wordpress.
    I'm really lost and dont know what to do
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You will sometimes see this type of activity when a PHP script is making a connection to an update server for automatic updates to the script.

    You can review the PHP files uploaded to the account referenced in the notification to see if it's using any specific PHP scripts that make outgoing connections to the referenced IP address. You may also want to reach out to the individual account holder to request information about the activity.

    If you require additional help, you can find a list of system administration services on the following URL:

    System Administration Services | cPanel Forums

    Thank you.
     
  8. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Actually, these scripts are launched from users that don't even have any activity besides emails. No website or anything else. And the script start multiple processes with the same user, all targeting the same IP.
    And if I suspend the user, a few hours later, it starts with another user.
    I also had some who were sending spams, but I disabled mail in PHP so I don't have this problem anymore.
    I am convinced that its malicious, but I just dont know how to get rid of it.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend seeking out assistance from a qualified system administrator if you'd like further investigation into what could be causing the issue on the affected server. We provide a list of companies offering system administration services in the URL from my last response.

    Thank you.
     
  10. Alain Bensimon

    Joined:
    Apr 23, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    cPanel Access Level:
    Root Administrator
    Can you recommend me one of them please.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,427
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's against our policy to recommend a specific vendor, but you are welcome to search their company names on a search engine or another forum such as WebHostingTalk to see if you can find existing reviews.

    Thank you.
     
Loading...

Share This Page