xvid Posted August 30, 2011 Share Posted August 30, 2011 Hi Everyone, I have whmcs installed on cpanel along with the CSF firewall running on this server. Evertyhing works just fine on the system with the following exception: Once a week I receive the following email from the CSF: lfd on myserver.com: Suspicious process running under user mywhmcsuser Command Line (often faked in exploits): php -q /home/mywhmcsuser/public_html/pipe/pop.php Network connections by the process (if any): tcp: my_server_ip_address:41095 -> yy.yyy.yy.yyy:110 Files open by the process (if any): /dev/null /dev/null /tmp/sess_e1b78de5b6t0933m7261f87c48da5c2fc Is this a normal behavior or I am missing something here? 0 Quote Link to comment Share on other sites More sharing options...
othellotech Posted August 31, 2011 Share Posted August 31, 2011 Yes its normal behaviour - in as much as it means you've not configured csf/lfd to ignore valid commands/functions/executables/etc Just ask your SysAdmin to sort it 0 Quote Link to comment Share on other sites More sharing options...
xvid Posted August 31, 2011 Author Share Posted August 31, 2011 Thank you for answer othellotech. I am aware of the "exclude process" feature of the Firewall. I still can't explain why such request is necessary though: tcp: my_server_ip_address:41095 -> yy.yyy.yy.yyy:110 because pop.php is supposed to be a simple piping script? 0 Quote Link to comment Share on other sites More sharing options...
othellotech Posted September 1, 2011 Share Posted September 1, 2011 tcp: my_server_ip_address:41095 -> yy.yyy.yy.yyy:110 because pop.php is supposed to be a simple piping script? no, pipe is a piping script, pop is a mail collector - hence it connecting to the mailserver on 110 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.