lfd on host.myserver.com: Suspicious process running under user iwp_user

Time:    Tue Dec  5 11:01:19 2017 -0500
PID:     15316 (Parent PID:15313)
Account: iwp_user
Uptime:  78 seconds

Executable:

/home/virtfs/iwp_user/opt/cpanel/ea-php70/root/usr/bin/php

Command Line (often faked in exploits):

/opt/cpanel/ea-php70/root/usr/bin/php /home/iwp_user/public_html/iwp/cron.php

The warning appears to have been triggered by the time it took IWP’s cron.php to execute, which exceeds the setting (60s) I have in CSF.

I haven’t changed that setting or added any sites. The only change seems to have been the WordPress upgrade, so all I’ve been able to figure out so far is that cron.php apparently has taken less time than the 60s limit prior to the WP 4.9.1 upgrade, but now it takes longer and is triggering the warnings.

I know I could increase the 60 second limit, or whitelist cron.php in CSF, but I would rather not do so if this is pointing to some issue following the update. I don’t see anything in my error logs.

The server is just coasting, so would adjustment of the App Settings in IWP reduce the time cron.php takes to run? My current settings, which I don’t think I’ve ever changed from the defaults, are:

• MAX SIMULTANEOUS READ / WRITE REQUESTS PER IP: 2
• MAX SIMULTANEOUS REQUESTS FROM THIS SERVER: 3
• TIME DELAY BETWEEN REQUESTS TO WEBSITES ON THE SAME IP: 200

Also, on the dashboard under “WordPress Events and News” I get the following error messages:

RSS Error: WP HTTP Error: cURL error 7: Failed to connect to www.ads-software.com port 80: Connection timed out

RSS Error: WP HTTP Error: cURL error 7: Failed to connect to planet.www.ads-software.com port 443: Connection timed out

I have contacted my dedicated server support and this is their response:

“I have been looking into this, and it does look like that is the issue, your server just cannot connect to www.ads-software.com:
———-begin support response————
— www.ads-software.com ping statistics —
11 packets transmitted, 0 received, +11 errors, 100% packet loss, time 9999ms

You do have network connectivity though:

— google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms

And when trying to connect to www.ads-software.com the packets do leave your server:

[root@ded3845 ~]# traceroute www.ads-software.com
traceroute to www.ads-software.com (66.155.40.249), 30 hops max, 60 byte packets
1 209.182.212.2 (209.182.212.2) 0.248 ms 1.441 ms 2.521 ms
2 * * *
3 * * *
4 198.46.80.2 (198.46.80.2) 3.410 ms 4.135 ms 4.819 ms
5 ae0-3019.cr0-was1.ip4.gtt.net (69.31.31.41) 5.446 ms * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *

Just they never make it there. As the packets are getting out of our network though, we really don’t control that. I would definitely try and check if www.ads-software.com has your IP blocked by chance, for whatever reason: 209.182.213.19

———-end support response————

Any help in resolving this issue will be greatly appreciated.

Can someone check and see if my ip has been blocked? This is a new ip for my site as I have just moved to a new server.

Thank you

Mark

A week ago I installed CSF on my VPS and I turned on LFD.

Since then I’ve had over 1200 emails from LFD saying WordFence is a suspicious process.

Is this a false positive? It would be ironic if WordFence was infected and I find that hard to believe.

Is there some sort of conflict between WordFence and LFD or is it because WordFence sends data to its own server that’s causing the problem?

Is there a fix to this?

I posted on the CSF Forum but they never replied, so I thought I would ask you instead

I’d be grateful for any help.

Thanks.

Here is the message I’m receiving:

Time:    Tue May  9 13:20:01 2017 +0100
PID:     29293 (Parent PID:27098)
Account: admin
Uptime:  81 seconds

Executable:

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Command Line (often faked in exploits):

/opt/cpanel/ea-php56/root/usr/bin/php-cgi

Network connections by the process (if any):

tcp: 123.123.123.123:38428 -> 123.123.123.123:80

Files open by the process (if any):

/var/log/apache2/error_log
/tmp/.ZendSem.80xPEq (deleted)
/dev/urandom
/home/admin/public_html/wp-content/wflogs/ips.php
/home/admin/public_html/wp-content/wflogs/config.php
/home/admin/public_html/wp-content/wflogs/attack-data.php

https://www.ads-software.com/support/topic/help-with-csf-firewall-removing-lfd-process-check-for-wf/

The suggestion was to tell CSF to ignore Wordfence. I don’t think the security of the server should have to be compromised so a plugin can work. Furthermore, making a user go into the root of their server to accomplish this. Most users won’t have access to root and most users when asking their host to make exceptions for their applications will be told to take a hike.

I am getting hundreds of errors caused by Wordfence and it seems the better solution might be to get rid of Wordfence for a product that doesn’t make you bypass security or make root level changes to accomplish that

My VPS as CSF installed, I am getting lots of messages about ‘suspicious; activities from various IP addresses.

Im 99% certain this is a false positive as 3 of the IP’s in question resolve to www.ads-software.com :

66.155.40.189
66.155.40.186
66.155.40.202

What I am looking for is the full range or list of IP’s that WordPress use so that I can add them to the allow / ignore list

Background:
I’ve had a fair bit of trouble with slowloris attacks on my server so recently installed CSF firewall, which stopped the attacks. I *did* notice that the WP admin panel seemed to be running a bit slowly, but no other problems.

Main problem:
I performed a manual upgrade of my new-ish site because it kept saying on the dashboard that it was up-to-date, but I knew it wasn’t. (I am now worrying the problem was actually due to port blocking on CSF – I have CT-Limit set to 60 and certain countries can only access port 80, and a few other things…)
The first upgrade seemed to not work properly, because I kept getting errors on the lines of “/htdocs/wp-includes/functions.php on line 1282” – relating to wp_cache. It turned out that file had not been replaced for some reason… so I renamed admin and includes and re-uploaded fresh copies. I also deactivated the plug-ins and switched the theme via phpmyadmin.

That allowed me to get to the dashboard, but I still have a white screen of death on the main site and a load of errors are now showing up in the admin panel (I guess also because I enabled them to show).

I tried to install a plugin to trace the problem, but got the following load of errors:

Warning: stream_socket_client(): unable to connect to ssl://api.www.ads-software.com:443 (Connection timed out) in /var/www/vhosts/(mysite)/htdocs/wp-includes/class-http.php on line 1021

Warning: An unexpected error occurred. Something may be wrong with www.ads-software.com or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to www.ads-software.com. Please contact your server administrator.) in /var/www/vhosts/(mysite)/htdocs/wp-includes/update.php on line 302

Warning: stream_socket_client(): unable to connect to tcp://api.www.ads-software.com:80 (Connection timed out) in /var/www/vhosts/(mysite)/htdocs/wp-includes/class-http.php on line 1021

Warning: stream_socket_client(): unable to connect to ssl://api.www.ads-software.com:443 (Connection timed out) in /var/www/vhosts/(mysite)/htdocs/wp-includes/class-http.php on line 1021

Warning: An unexpected error occurred. Something may be wrong with www.ads-software.com or this server’s configuration. If you continue to have problems, please try the support forums. (WordPress could not establish a secure connection to www.ads-software.com. Please contact your server administrator.) in /var/www/vhosts/(mysite)/htdocs/wp-admin/includes/plugin-install.php on line 83

Warning: stream_socket_client(): unable to connect to tcp://api.www.ads-software.com:80 (Connection timed out) in /var/www/vhosts/(mysite)/htdocs/wp-includes/class-http.php on line 1021

An unexpected error occurred. Something may be wrong with www.ads-software.com or this server’s configuration. If you continue to have problems, please try the support forums.

I do have a recent backup of the database – but the probably not the entire file structure, although that’s less of an issue. But I’d still be left with the problem of not being able to upgrade. The wp-content part has not been messed with.

Any hints? Don’t like asking for help but I’m wondering if this has something to do with CSF configurations (perhaps I need to whitelist something?), and now also confused as to what I need to do to get the main site working again…

Thanks in advance…

Site is “rose newell dot co dot uk”, by the way.

I wasn’t sure if this should be posted here or on the cPanel Forums. As a web host I have dealt with malware before, however, as of late one client seems to always be infected.

The infected are always different and no it doesn’t seem to matter if WordPress is reinstalled, rehashed and the MySQL passwords changed.

Last night I received 60 messages from CSF containing:

Time: Tue Aug 18 08:39:30 2015 -0400
PID: 7792 (Parent PID:5275)
Account: USERNAME
Uptime: 3722 seconds

Executable:

/usr/bin/php

Command Line (often faked in exploits):

/usr/bin/php /home/USERNAME/public_html/coach4food/wp-includes/SimplePie/Net/lib.php

[moderated]

I am using both Pyxsoft and ClamAV. According the Pyxsoft it is a {HEX}.php.base64.v23au.183.

I am at a loss here. WordPress has been updated, all plugins are recognized and reliable. The malware has jumped to all of the users WordPress sites.

Thanks in advance,

My Akismet plugin can’t connect to the Akismet servers because I have ConfigServer Security & Firewall installed on my dedicated server.

How do I allow access to the plugin Akismet servers?

Information Akismet blog: https://blog.akismet.com/akismet-hosting-faq/

I did it in my file “csf.allow”, see:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: https://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
201.95.214.69 # csf SSH installation/upgrade IP address – Tue May 6 07:54:59 2014
192.0.80.244 # Akismet
192.0.80.246 # Akismet
66.135.58.62 # Akismet
66.135.58.61 # Akismet

I also tried but nothing so:

###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: https://www.configserver.com
# Email: [email protected]
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
# Note: IP addressess listed in this file will NOT be ignored by lfd, so they
# can still be blocked. If you do not want lfd to block an IP address you must
# add it to csf.ignore
201.95.214.69 # csf SSH installation/upgrade IP address – Tue May 6 07:54:59 2014
tcp:out:d=80:d=192.0.80.244 # Akismet
tcp:out:d=80:d=192.0.80.246 # Akismet
tcp:out:d=80:d=66.135.58.62 # Akismet
tcp:out:d=80:d=66.135.58.61 # Akismet
tcp:in:d=80:d=192.0.80.244 # Akismet
tcp:in:d=80:d=192.0.80.246 # Akismet
tcp:in:d=80:d=66.135.58.62 # Akismet
tcp:in:d=80:d=66.135.58.61 # Akismet

Thanks in advance.

https://www.ads-software.com/plugins/akismet/

Apparently I’m not the only one having issues with fail2ban. I just wanted to share this for anyone else struggling with it. CSF is much more than a log parser and interface w\ iptables, easier to setup, and updates more often anyways.

https://configserver.com/cp/csf.html
https://www.ads-software.com/plugins/wp-fail2ban/

I’ve on my both VPS CSF installed, but i’ve this problem : impossible to update wordpress core or plugins… error “couldn’t connect to host”

I f i desactivated csf, not problem…

Can you help me ?