Page 1 of 1

Suspicious Process Running - Remote mySQL Connection

Posted: 15 Apr 2013, 18:29
by amsbwd
Hello all, I have CSF v6.07 on a VPS and have been receiving "suspicious process" emails pertaining to one of my websites. I can't figure out if there's a good way to whitelist these, the following details having been changed slightly to protect the innocent:

---------Begin Email---------

lfd on #host#.com: Suspicious process running under user #user#

Command Line (often faked in exploits):
#path#/public_html/file.php

Network connections by the process (if any):
tcp: ###myserverIP### -> ###remoteip###:3306

---------End Email---------

Based on the tcp line above I know exactly what's happening. I have a script in file.php that connects to a remote mySQL database ###remoteip### on port 3306 and stores some data. The IP addresses confirm that this is not a suspicious process, I have requested it. But how can I whitelist it? I don't want to ignore file.php or the php process as doing either would open me up to a pretty big security hole.

If I go into csf.ignore and add the ###remoteip###, would that prevent emails being triggered for this specific piece of code?

Also, is it common to have this type of error generated based on a PHP connection to a remote mySQL database?

TIA!

Re: Suspicious Process Running - Remote mySQL Connection

Posted: 27 Apr 2013, 10:16
by SoftDux
You can ignore the script in /etc/csf/csf.pignore, instead of the IP for a bit more security. csf.ignore will ignore EVERYTHING from that IP.

CSF probably flagged it as suspicious since it's not normal behavior, i.e. the fact that the SQL server is (probably) queried every few seconds