"Suspicious Process" -- how to debug?

Post Reply
rudolfl
Junior Member
Posts: 2
Joined: 01 Sep 2020, 00:57

"Suspicious Process" -- how to debug?

Post by rudolfl »

Hi all,

I am getting a lot of e-mails about suspicions process running. I did find many threads about it and all pretty much talk about how to silience those.
I want to fix (if possible) the underlying problem.

Those warnings are generally only specify user and PHP executable.

Network connectiosn I am getting are:
Network connections by the process (if any):

tcp: 127.0.0.1:41462 -> 127.0.0.1:11211
tcp: 127.0.0.1:41016 -> 127.0.0.1:11211


(this is connection from localhost to memcached server running on same lolcalhost).

I believe issue is most likely related to automated bots trying to access the site for the purpose of scanning or brute force.

What I would like to do is to find offending script and offending user (IP). Taking a look at apache log files does help to a point. I did find few offending IPs and blocked them, but there is more.

Sites are all running WordPress.

Any pointers on how to investigate will be greatly appreciated.

Thanks,
Rudolf
Post Reply