I moved my site to a new VPS last night, and I woke up this morning to find many (over 100 as of this writing) alerts of "Suspicious Processes" like this:
lfd on <hostname>: Suspicious process running under user <username>
Command Line (often faked in exploits):
Network connections by the process (if any):
tcp: <server_IP>:<different_port_for_each_alert> -> <different_IP_for_each_alert>:80
Files open by the process (if any):
Memory maps by the process (if any):
(several lines of text follows)
In each one of these alerts the local port is different, and the remote IP is also different (some of these are: 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52)
Anyone knows what this is about?
I've just contacted my host, but since the common file in all these alerts (xmlrpc.php) is a WordPress file, I'm posting it here too to see if anyone knows anything about this.
P.S.: The site is currently running WP Version 2.8.4. Upgrade is scheduled for this weekend -- a plugin which the site is heavily dependent on is broken under 2.9, and I'm getting a fix delivered this weekend. Also the VPS runs LiteSpeed instead of Apache.