Support » Plugin: Wordfence Security » CSF LFD says WordFence is a Suspicious Process

  • LordLiverpool

    (@lordliverpool)


    Hello WordFence

    A week ago I installed CSF on my VPS and I turned on LFD.

    Since then I’ve had over 1200 emails from LFD saying WordFence is a suspicious process.

    Is this a false positive? It would be ironic if WordFence was infected and I find that hard to believe.

    Is there some sort of conflict between WordFence and LFD or is it because WordFence sends data to its own server that’s causing the problem?

    Is there a fix to this?

    I posted on the CSF Forum but they never replied, so I thought I would ask you instead

    I’d be grateful for any help.

    Thanks.

    Here is the message I’m receiving:

    
    Time:    Tue May  9 13:20:01 2017 +0100
    PID:     29293 (Parent PID:27098)
    Account: admin
    Uptime:  81 seconds
    
    Executable:
    
    /opt/cpanel/ea-php56/root/usr/bin/php-cgi
    
    Command Line (often faked in exploits):
    
    /opt/cpanel/ea-php56/root/usr/bin/php-cgi
    
    Network connections by the process (if any):
    
    tcp: 123.123.123.123:38428 -> 123.123.123.123:80
    
    Files open by the process (if any):
    
    /var/log/apache2/error_log
    /tmp/.ZendSem.80xPEq (deleted)
    /dev/urandom
    /home/admin/public_html/wp-content/wflogs/ips.php
    /home/admin/public_html/wp-content/wflogs/config.php
    /home/admin/public_html/wp-content/wflogs/attack-data.php
    
Viewing 1 replies (of 1 total)
  • Plugin Support wfyann

    (@wfyann)

    Hi @lordliverpool,

    It seems that what’s being reported as suspicious here is the php-cgi process itself:

    lfd on mail.myserver.tld: Suspicious process running under user myusername

    The files are listed because they are being opened by that process.

    If you (or your hosting provider) have configured Apache to hand PHP scripts to the CGI process then it’s normal to see php-cgi processes running under the web server user.

    I’m not sure why such process is being reported as suspicious in this case. It could be the uptime (too long) or the port redirection (tcp: 123.123.123.123:39126 -> 123.123.123.123:80).

    By all means, please check with the LFD support/community before white-listing the process via the csf.pignore file.

Viewing 1 replies (of 1 total)
  • The topic ‘CSF LFD says WordFence is a Suspicious Process’ is closed to new replies.