cpanel上的可疑进程

时间:2015-10-24 08:05:25

标签: centos cpanel

我在我的服务器上发现了一个恶意软件,我设法清理它,maldet不再报告任何恶意软件。有些网站加载非常慢(主要是WordPress网站),虽然我清理它们并确保那里没有受感染的文件。

我总是在错误日志中找到这些错误,以及有人试图从我的服务器发送电子邮件的exim中的其他一些错误如何解决这个问题。

Oct 24 00:59:15 leadhero lfd[13172]: *Suspicious Process* PID:12874 PPID:12841 User:herolead Uptime:98 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:15 leadhero lfd[13411]: *Suspicious Process* PID:13011 PPID:9993 User:herolead Uptime:112 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:15 leadhero lfd[13411]: *Suspicious Process* PID:13012 PPID:12075 User:herolead Uptime:110 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:15 leadhero lfd[13411]: *Suspicious Process* PID:13017 PPID:9994 User:herolead Uptime:108 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:15 leadhero lfd[13411]: *Suspicious Process* PID:13018 PPID:2081 User:herolead Uptime:108 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:15 leadhero lfd[13411]: *Suspicious Process* PID:13079 PPID:13016 User:herolead Uptime:91 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:00:16 leadhero lfd[13411]: *Suspicious Process* PID:13102 PPID:12143 User:herolead Uptime:82 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:01:15 leadhero lfd[13636]: *Suspicious Process* PID:13213 PPID:12843 User:herolead Uptime:110 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:02:15 leadhero lfd[13791]: *Suspicious Process* PID:13489 PPID:13111 User:herolead Uptime:110 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:03:15 leadhero lfd[13958]: *Suspicious Process* PID:13655 PPID:13390 User:herolead Uptime:111 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php Oct 24 01:04:15 leadhero lfd[14105]: *Suspicious Process* PID:13832 PPID:12841 User:herolead Uptime:111 secs EXE:/usr/bin/php CMD:/usr/bin/php /home/herolead/public_html/thailand/index.php

2 个答案:

答案 0 :(得分:-1)

以上警告是假阳性的一部分。如果这些文件中没有可疑代码,您无需担心。如果从远程IP获取中继警报,则调整服务器设置以仅允许从服务器进行中继。只有当您意识到自己在做什么时,才应进行此更改。如果以错误的方式配置它,这可能会破坏您的电子邮件脚本。更好的是你应该购买托管VPS或聘请一些专家为你做。

答案 1 :(得分:-1)

在之前的回答中,我谈到了误报。是真的。但是你已经离开了。 为了您的信息,这些usadno CSF防火墙,并没有正确配置。 我们理解它的工作方式是可取的,因为它们很容易删除警报,但事实并非如此。 您必须编辑文件/etc/csf/csf.conf(您也可以从WHM执行此操作) 您必须编辑de var PT_LIMIT

 # Process Tracking. This option enables tracking of user and nobody  processes
 # and examines them for suspicious executables or open network ports. Its
 # purpose is to identify potential exploit processes that are running on the
 # server, even if they are obfuscated to appear as system services. If a
 # suspicious process is found an alert email is sent with relevant information.
 # It is then the responsibility of the recipient to investigate the process
 # further as the script takes no further action
 #
 # The following is the number of seconds a process has to be active before it
 # is inspected. If you set this time too low, then you will likely trigger
 # false-positives with CGI or PHP scripts.
 # Set the value to 0 to disable this feature

一个好的值PT_LIMIT = 180 如果不喜欢为此发送电子邮件,请输入0

您也可以选择忽略此指令的用户。您必须read about /etc/csf/csf.pignore