suspicious process alert but no process listed

Post Reply
blondiegeek
Junior Member
Posts: 1
Joined: 26 Feb 2016, 11:28

suspicious process alert but no process listed

Post by blondiegeek »

Hi all,

I've been getting numerous suspicious process alerts each day, listing /usr/bin/php as the suspicious process but no actual process beyond that. I'm not sure if this is a false positive or not - and even if it is I don't know how to block it because it doesn't seem wise to ignore everything under php.

Can anyone help interpret this? I've searched high and low in this and other forums and haven't been able to find a similar situation.

Here's an example email:

Time: Fri Feb 26 11:18:26 2016 +0000
PID: 29663 (Parent PID:29408)
Account: (username removed)
Uptime: 111 seconds


Executable:

/usr/bin/php


Command Line (often faked in exploits):

/usr/bin/php


Network connections by the process (if any):

tcp: 127.0.0.1:38213 -> 127.0.0.1:11211


Files open by the process (if any):

/usr/local/apache/logs/error_log
/usr/local/apache/logs/error_log
(deleted)/tmp/.ZendSem.Dek1Ac
(deleted)/tmp/ZCUDs5fJdf


Memory maps by the process (if any):
uhl-hosting
Junior Member
Posts: 1
Joined: 07 Mar 2016, 15:05

Re: suspicious process alert but no process listed

Post by uhl-hosting »

I have the same issue, I added on pignore exe:/usr/bin/php yet the issue persists.
nimonogi
Junior Member
Posts: 3
Joined: 28 Nov 2011, 10:01

Re: suspicious process alert but no process listed

Post by nimonogi »

I'm having the same issue... how can we deal with this?
davert
Junior Member
Posts: 6
Joined: 13 Jan 2015, 19:45

Re: suspicious process alert but no process listed

Post by davert »

Just a bump to see if anyone found anything.

It does show if something is running from a deleted process.

It would be VERY nice if they showed what script was running the process. I have no idea where to look.

There does seem to be a way to tell LFD to stop checking for processes running from deleted temp files. However, if I knew what script was at fault, I could go to the source.

http://g33kinfo.com/info/archives/3933
Post Reply