Suspicious process running under user

mamayukero

Registered
Nov 27, 2018
3
1
3
Agro Plaza, Kuningan Jakarta
cPanel Access Level
Root Administrator
Hi,

I got an error and often this message appears.

like this:

Time: Fri Dec 14 11:47:11 2018 +0700
PID: 3132 (Parent PID:4543)
Account: ......
Uptime: 110 seconds


Executable:

/opt/cpanel/ea-php70/root/usr/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool .....


Network connections by the process (if any):

tcp: .....


Files open by the process (if any):

/tmp/.ZendSem.zyMTxg (deleted)
/dev/urandom


Memory maps by the process (if any):
.
.
.
.
.
.
7f586e408000-7f586e42d000 rw-p 00000000 00:00 0
7f586e42d000-7f586e462000 r--s 00000000 b6:4a5b1 550428 /var/db/nscd/hosts
7f586e462000-7f586e4e6000 rw-p 00000000 00:00 0
7f586e4ef000-7f586e4f1000 rw-s 00000000 00:04 2095223666 /dev/zero (deleted)
7f586e4f1000-7f586e4f2000 rw-p 00000000 00:00 0
7f586e4f2000-7f586e4f3000 r--p 00021000 b6:4a5b1 395545 /usr/lib64/ld-2.17.so
7f586e4f3000-7f586e4f4000 rw-p 00022000 b6:4a5b1 395545 /usr/lib64/ld-2.17.so
7f586e4f4000-7f586e4f5000 rw-p 00000000 00:00 0
7ffea8c64000-7ffea8c85000 rw-p 00000000 00:00 0 [stack]
7ffea8df9000-7ffea8dfb000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]



Can anyone explain and help me?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Add the following line to to your /etc/csf/csf.pignore file

Code:
pexe:/opt/cpanel/ea-php*/root/usr/sbin/php-fpm
Click Change and then Restart lfd