csf.pignore rules aren't working?

Post Reply
Ryan_D
Junior Member
Posts: 3
Joined: 29 Apr 2021, 14:45

csf.pignore rules aren't working?

Post by Ryan_D »

Hi,

I've recently setup the emails for csf/lfd and I started getting tons of emails coming through, but most of them appear to be false positives.

I've added the following rules to csf.pignore but they don't appear to be working as the emails for the very same reasons are still coming through even after restarting both CSF and even the entire server.

Code: Select all

pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp.* # LiteSpeed
pexe:/usr/local/lsws/bin/lshttpd.* # LiteSpeed
exe:/usr/local/lsmcd/bin/lsmcd # LiteSpeed

exe:/usr/bin/redis-server # Redis
exe:/usr/bin/node # Redis
cmd:/usr/bin/redis-server 127.0.0.1:6379 # Redis

exe:/opt/digitalocean/bin/do-agent # DigitalOcean

cmd:lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp # LiteSpeed Extra
pexe:^/usr/local/lsws/bin/lshttpd.* # LiteSpeed Extra
pexe:^/opt/alt/php.*/usr/bin/lsphp # LiteSpeed Extra
pexe:^/opt/cpanel/ea-php\d\d/root/usr/bin/lsphp\.cagefs # LiteSpeed Extra

Here is a copy of the emails (snippets of them) and the subjects.

Suspicious process running under user nobody
Executable: /usr/local/lsmcd/bin/lsmcd
Command Line (often faked in exploits): /usr/local/lsmcd/bin/lsmcd

Suspicious process running under user nobody
Executable: /usr/local/lsws/bin/lshttpd.6.0.11
Command Line (often faked in exploits): litespeed (lshttpd - #01)

Suspicious File Alert
File: /tmp/lsmcd/core.873669
Reason: Linux Binary
Owner: nobody:nobody (99:99)
Action: No action taken

Excessive resource usage: customwheelaccount
Exceeded: 60647 > 3600 (seconds)

Executable: /usr/bin/bash
Command Line: -bash

Excessive resource usage: do-agent
Exceeded: 906203 > 3600 (seconds)

Executable: /opt/digitalocean/bin/do-agent
Command Line: /opt/digitalocean/bin/do-agent --syslog

Excessive resource usage: mysql
Exceeded: 906203 > 3600 (seconds)

Executable: /usr/sbin/mariadbd
Command Line: /usr/sbin/mariadbd

Suspicious process running under user redis
Executable: /usr/bin/redis-server
Command Line (often faked in exploits): /usr/bin/redis-server 127.0.0.1:6379

Excessive resource usage: redis
Exceeded: 909835 > 3600 (seconds)

Executable: /usr/bin/redis-server
Command Line: /usr/bin/redis-server 127.0.0.1:6379
I'd greatly appreciate some help with this!

Thanks
Post Reply