Page 1 of 1
Process Tracking Emails
Posted: 23 Sep 2015, 09:37
by IsraelPaya67
I have several websites made in WordPress. WordPress try to update itself regularly. When it happens, I received an email from the server for every website of this type:
Time: Tue Sep 22 08:30:35 2015 +0200
PID: 5733 (Parent PID:3407)
Account: userxxx
Time active: 76 seconds
Executable:
/usr/bin/php
Command line (often misrepresented exploits):
/usr/bin/php /home/userxxx/public_html/wp-cron.php
Network connections of the process (if any):
tcp: 37.187...
How can I avoid receiving these emails?
Thank you so much.
Regards.
Re: Process Tracking Emails
Posted: 24 Sep 2015, 14:40
by maever
Hello IsraelPaya67,
One solution would be adding the commandline (with a wildcard) of the script in question to the csf.pignore file such as the below example:
Code: Select all
pcmd:/usr/bin/php /home/.*/public_html/wp-cron.php
hope it helps
Re: Process Tracking Emails
Posted: 24 Sep 2015, 16:04
by IsraelPaya67
Fantastic. Thank you so much for your support!
Best regards.
Re: Process Tracking Emails
Posted: 16 Apr 2017, 15:51
by cglmicro
It's not working for me with the wildcard.
Here is my /etc/csf/csf.pignore file (only a few lines of it):
Code: Select all
cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-cron.php
cmd:/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/.*/public_html/wp-admin/admin-ajax.php
I did RESTART CSF+LFD when asked, and I still receive these emails:
Code: Select all
Time: Sun Apr 16 10:44:00 2017 -0400
PID: 20892 (Parent PID:15283)
Account: fakeusername
Uptime: 167 seconds
Executable:
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line (often faked in exploits):
/opt/cpanel/ea-php56/root/usr/bin/php-cgi /home/fakeusername/public_html/wp-admin/admin-ajax.php
Network connections by the process (if any):
tcp: 108.163.xxx.xxx:41141 -> 108.163.xxx.xxx:80
I also tried with a wildcard * instead of .* but same result. Any suggestion?
Re: Process Tracking Emails
Posted: 17 Apr 2017, 20:02
by Sergio
Add just the following line to csf.pignore:
exe:/usr/bin/php
That will work.
Re: Process Tracking Emails
Posted: 17 Apr 2017, 21:17
by cglmicro
I saw this answer in another thread, and it bring another question: This line won't ignore every alerts regarding PHP scripts, or just affect this single alert ?
Re: Process Tracking Emails
Posted: 18 Apr 2017, 02:06
by Sergio
@cglmicro,
That line helps php to run, chances are that another customers will trigger the same.
On the other hand, on the first post was:
Executable:
/usr/bin/php
But in your post you wrote:
Executable:
/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Both are completely different approaches.
So, for your particular case you should add the following line in csf.pignore:
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi
Sergio
Re: Process Tracking Emails
Posted: 21 Apr 2017, 20:50
by cglmicro
Thank you, I just added
exe:/opt/cpanel/ea-php56/root/usr/bin/php-cgi