WordPress.org

Ready to get started?Download WordPress

Forums

Help Me Understand This "Suspicious Process" (2 posts)

  1. George Appiah
    Member
    Posted 4 years ago #

    I moved my site to a new VPS last night, and I woke up this morning to find many (over 100 as of this writing) alerts of "Suspicious Processes" like this:

    lfd on <hostname>: Suspicious process running under user <username>

    Executable:

    /usr/local/lsws/fcgi-bin/lsphp-5.2.13

    Command Line (often faked in exploits):

    lsphp5:/home/tgj/public_html/xmlrpc.php

    Network connections by the process (if any):

    tcp: <server_IP>:<different_port_for_each_alert> -> <different_IP_for_each_alert>:80

    Files open by the process (if any):

    (deleted) /tmp/ZCUDcxZRG2
    Memory maps by the process (if any):

    (several lines of text follows)

    In each one of these alerts the local port is different, and the remote IP is also different (some of these are: 206.214.221.177, 74.53.137.66, 174.132.156.252, 66.96.147.110)

    Anyone knows what this is about?

    I've just contacted my host, but since the common file in all these alerts (xmlrpc.php) is a WordPress file, I'm posting it here too to see if anyone knows anything about this.

    Thanks.

    P.S.: The site is currently running WP Version 2.8.4. Upgrade is scheduled for this weekend -- a plugin which the site is heavily dependent on is broken under 2.9, and I'm getting a fix delivered this weekend. Also the VPS runs LiteSpeed instead of Apache.

  2. mrmist
    Forum Janitor
    Posted 4 years ago #

    Not sure on your question, but if you don't use the publishing API you can delete the xmlrpc file.

Topic Closed

This topic has been closed to new replies.

About this Topic