How to add rule to csf.ignore

Post Reply
aky007
Junior Member
Posts: 2
Joined: 03 Oct 2013, 07:05

How to add rule to csf.ignore

Post by aky007 »

Hi Everyone,

I tired to resolve some false alert by add the following rules to cdf.ignore but still can't stop them. :confused: :confused:

Code: Select all

exe:/usr/local/cpanel/3rdparty/perl/522/bin/perl

Code: Select all

exe:/usr/local/lsws/bin/lshttpd.5.1.11

lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831309
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

-----------------------------------------------------------------------------------

lfd on domain.com: Suspicious File Alert
Time: Fri Jan 13 06:17:11 2017 +0800
File: /tmp/lshttpd/bak_core/core.831841
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

-----------------------------------------------------------------------------------

lfd on domain.com: Suspicious process running under user nobody
Time: Fri Jan 13 07:06:21 2017 +0800
PID: 900025 (Parent PID:900023)
Account: nobody
Uptime: 72 seconds


Executable:

/usr/local/lsws/bin/lshttpd.5.0.18


Command Line (often faked in exploits):

litespeed (lshttpd)


Network connections by the process (if any):

tcp: 127.0.0.1:443 -> 0.0.0.0:0
tcp: 127.0.0.1:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:4433 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp: ***.***.**.**:443 -> 0.0.0.0:0
tcp: ***.***.**.**:80 -> 0.0.0.0:0
tcp6: 0.0.0.0:443 -> 0.0.0.0:0
tcp6: 0.0.0.0:80 -> 0.0.0.0:0
tcp: 0.0.0.0:7080 -> 0.0.0.0:0

-----------------------------------------------------------------------------------

Please help.

Thanks :D
Moderated Message:
Please do not bump threads
Havri
Junior Member
Posts: 5
Joined: 05 Jan 2016, 10:10

Re: How to add rule to csf.ignore

Post by Havri »

Hello,

You should use the pexe regex rule, like so in /etc/csf/csf.pignore:

Code: Select all

pexe:^/usr/local/lsws/bin/lshttpd.*$
Let me know if it works.

Regards.
webintel
Junior Member
Posts: 10
Joined: 01 May 2012, 08:02

Re: How to add rule to csf.ignore

Post by webintel »

Did it work?
Post Reply