audrey

Well-Known Member
Oct 18, 2006
116
6
168
Hi

Since yesterday
I am getting lots of emails from CSF firewall with the subject
"Suspicious process running under user"

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php /home/USER/public_html/wp-cron.php

I have seen emails like this before from CSF
but-
what bothers me about these emails
is that they all say
Network connections by the process (if any):
tcp: xxx-xxx-xxx-xxx:53711 -> 66.155.40.203:443

(with the exception that not all of the ports are 53711
and the IP varies, but is always within the 66.155.40. IP range
and the 443 port is sometimes port 80

the 66.155.40. IP range traces to peer1.com.
My server is not located at peer1.com
and the techs at the data center that I use
have confirmed that they have no relationship with peer1.com

I ran maldet on the entire server and no hits were found.

Many of the wordpress sites that the suspicious process emails are for
are my own sites and there are no plugins installed on these sites
that should have any reference to peer1.com

Please don't tell me to tell the CSF firewall to ignore these processes.
I can deal with the CSF emails

The point of me posting this on Cpanel forums is
to find out why/how
there is any relationship to peer1.com
from wp-cron.php

Any insight would be greatly appreciated

Thanks
Audrey