Support » Fixing WordPress » Help Me Understand This “Suspicious Process”

  • I moved my site to a new VPS last night, and I woke up this morning to find many (over 100 as of this writing) alerts of “Suspicious Processes” like this:

    lfd on <hostname>: Suspicious process running under user <username>



    Command Line (often faked in exploits):


    Network connections by the process (if any):

    tcp: <server_IP>:<different_port_for_each_alert> -> <different_IP_for_each_alert>:80

    Files open by the process (if any):

    (deleted) /tmp/ZCUDcxZRG2
    Memory maps by the process (if any):

    (several lines of text follows)

    In each one of these alerts the local port is different, and the remote IP is also different (some of these are:,,,

    Anyone knows what this is about?

    I’ve just contacted my host, but since the common file in all these alerts (xmlrpc.php) is a WordPress file, I’m posting it here too to see if anyone knows anything about this.


    P.S.: The site is currently running WP Version 2.8.4. Upgrade is scheduled for this weekend — a plugin which the site is heavily dependent on is broken under 2.9, and I’m getting a fix delivered this weekend. Also the VPS runs LiteSpeed instead of Apache.

Viewing 1 replies (of 1 total)
  • mrmist


    Forum Janitor

    Not sure on your question, but if you don’t use the publishing API you can delete the xmlrpc file.

Viewing 1 replies (of 1 total)
  • The topic ‘Help Me Understand This “Suspicious Process”’ is closed to new replies.