The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wp-cron.php connecting to peer1

Discussion in 'General Discussion' started by audrey, Oct 12, 2016.

Tags:
  1. audrey

    audrey Well-Known Member

    Joined:
    Oct 18, 2006
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    Hi

    Since yesterday
    I am getting lots of emails from CSF firewall with the subject
    "Suspicious process running under user"

    Executable:
    /usr/bin/php

    Command Line (often faked in exploits):
    /usr/bin/php /home/USER/public_html/wp-cron.php

    I have seen emails like this before from CSF
    but-
    what bothers me about these emails
    is that they all say
    Network connections by the process (if any):
    tcp: xxx-xxx-xxx-xxx:53711 -> 66.155.40.203:443

    (with the exception that not all of the ports are 53711
    and the IP varies, but is always within the 66.155.40. IP range
    and the 443 port is sometimes port 80

    the 66.155.40. IP range traces to peer1.com.
    My server is not located at peer1.com
    and the techs at the data center that I use
    have confirmed that they have no relationship with peer1.com

    I ran maldet on the entire server and no hits were found.

    Many of the wordpress sites that the suspicious process emails are for
    are my own sites and there are no plugins installed on these sites
    that should have any reference to peer1.com

    Please don't tell me to tell the CSF firewall to ignore these processes.
    I can deal with the CSF emails

    The point of me posting this on Cpanel forums is
    to find out why/how
    there is any relationship to peer1.com
    from wp-cron.php

    Any insight would be greatly appreciated

    Thanks
    Audrey
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Wordpress updates server I believe.

    Unrelated, but displays the same IP address:

    meta.trac.wordpress.org/ticket/591
     
  3. audrey

    audrey Well-Known Member

    Joined:
    Oct 18, 2006
    Messages:
    72
    Likes Received:
    1
    Trophy Points:
    8
    Thanks for the help
    Take Care
    Audrey
     
    Infopro likes this.
Loading...

Share This Page