Suspicious Process running under User

Post Reply
LordLiverpool
Junior Member
Posts: 2
Joined: 05 May 2017, 11:10

Suspicious Process running under User

Post by LordLiverpool »

Hello CSF

I installed your wonderful plugin on Tuesday of this week.

Since then I've received 539 emails from LFD saying:
lfd on mail.myserver.tld: Suspicious process running under user myusername
Its found the same files for each domain on my server and they seem to be files from WordFence

Here follows the email:
Executable:

/home/virtfs/domain/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Network connections by the process (if any):

tcp: 123.123.123.123:39126 -> 123.123.123.123:80

Files open by the process (if any):

/home/virtfs/domain/dev/urandom
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/ips.php
/home/virtfs/domain/home/domain/public_html/wp-content/wflogs/config.php (deleted) /home/virtfs/domain/home/domain/public_html/wp-content/wflogs/attack-data.php
I've removed the domain name and the IP address.

Is my server compromised or is this a false positive?

Can anyone help me please?

Thanks.
LordLiverpool
Junior Member
Posts: 2
Joined: 05 May 2017, 11:10

Re: Suspicious Process running under User

Post by LordLiverpool »

Hey CSF

I installed your Firewall just over a week ago and since then I've had 1529 emails like the one above. (feeling overwhelmed)

How does this forum work?
Can I expect any help from CSF?
Or is it purely charitable contributions from the larger community?

Best Regards
Post Reply