Help With Pignore Syntax Suspicious Process

Post Reply
consultant
Junior Member
Posts: 16
Joined: 24 Aug 2016, 04:49

Help With Pignore Syntax Suspicious Process

Post by consultant »

I'm getting these suspicious process warnings:

Executable:

/home/virtfs/elemcms/opt/cpanel/ea-php73/root/usr/bin/php

Command Line (often faked in exploits):

/opt/cpanel/ea-php73/root/usr/bin/php -f cron.php

I'm not a REGEX expert and the documentation on all the different configs in the Pignore file is a bit thin.

My PHP version may change in the future so I just want to ignore execution of PHP with the cron.php script no matter what the path. My understanding is that you would use pcmd for this? I tried both of these:

pcmd:^/cron.php
pcmd:*/cron.php

Neither worked.

consultant
Junior Member
Posts: 16
Joined: 24 Aug 2016, 04:49

Re: Help With Pignore Syntax Suspicious Process

Post by consultant »

Duh, in posting this I think I just figured out the problem. There is no forward slash leading the cron.php parameter!

Did I get it right? Still curious is ^ or * should be use to provide a wild card for the command path.

consultant
Junior Member
Posts: 16
Joined: 24 Aug 2016, 04:49

Re: Help With Pignore Syntax Suspicious Process

Post by consultant »

Neither one of these seem to work

pcmd:*cron.php
pcmd:^cron.php

Could it be I need to escape the period? \.

Post Reply