Well-Known Member
Oct 18, 2006

Since yesterday
I am getting lots of emails from CSF firewall with the subject
"Suspicious process running under user"


Command Line (often faked in exploits):
/usr/bin/php /home/USER/public_html/wp-cron.php

I have seen emails like this before from CSF
what bothers me about these emails
is that they all say
Network connections by the process (if any):
tcp: xxx-xxx-xxx-xxx:53711 ->

(with the exception that not all of the ports are 53711
and the IP varies, but is always within the 66.155.40. IP range
and the 443 port is sometimes port 80

the 66.155.40. IP range traces to
My server is not located at
and the techs at the data center that I use
have confirmed that they have no relationship with

I ran maldet on the entire server and no hits were found.

Many of the wordpress sites that the suspicious process emails are for
are my own sites and there are no plugins installed on these sites
that should have any reference to

Please don't tell me to tell the CSF firewall to ignore these processes.
I can deal with the CSF emails

The point of me posting this on Cpanel forums is
to find out why/how
there is any relationship to
from wp-cron.php

Any insight would be greatly appreciated