CSF: Suspicious Process /wflogs/

  • Resolved rtnlsltn

    (@rtnlsltn)


    9 months, 3 weeks ago

    I’m getting a number of emails from my CSF firewall in cPanel for “Suspicious process running under user ____”

    Command Line (often faked in exploits):
    php-fpm: pool website_url

    Files open by the process (if any):
    /dev/null
    /tmp/.ZendSem.NCrsJg (deleted)
    /home/server/public_html/website_url/wp-content/wflogs/ips.php
    /home/server/public_html/website_url/wp-content/wflogs/config.php
    /home/server/public_html/website_url/wp-content/wflogs/attack-data.php
    /home/server/public_html/website_url/wp-content/wflogs/config-synced.php
    /home/server/public_html/website_url/wp-content/wflogs/config-livewaf.php
    /home/server/public_html/website_url/wp-content/wflogs/config-transient.php

    Network connections by the process (if any):
    It’s always from the ipv6 address of the server, with a (seemingly) random port, to a data server in CA at 443.

    The interesting thing is, there are multiple other sites on this same server that are not flagging these emails. Any insight here?

    • This topic was modified 9 months, 3 weeks ago by rtnlsltn.
Viewing 1 replies (of 1 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @rtnlsltn

    The CSF (ConfigServer Security & Firewall) software installed on your server is mentioining Wordfence firewall files that are located in the “~/wp-content/wflogs” directory so this a false positive and can be ignored.

    Sometimes ConfigServer Security & Firewall will notify you about PHP processes that run longer than a specified time, and considers them to be suspicious.

    You can use the CSF ignore file to ignore the Wordfence files by following the instructions in the link below in section 8 of their documentation:

    https://download.configserver.com/csf/readme.txt

    Alternatively you can ask for assistance for this over at their forum link below:

    https://forum.configserver.com

Viewing 1 replies (of 1 total)
  • The topic ‘CSF: Suspicious Process /wflogs/’ is closed to new replies.