CSF/LFD - Suspicious processes when running nginx+php5-fpm+ Mysql

Question

I am running LFD/CSF on three servers and on all servers I have the same problem since the first day when I set-up the server and installed LFD/CSF.

I have nginx + php5-fpm + MySQL installed and lfd.log file is full of warnings:

Jan  3 00:21:57 pro1646 lfd[31599]: *Suspicious Process* PID:30238 User:www-data Uptime:7300 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
Jan  3 03:21:01 pro1646 lfd[833]: *Suspicious Process* PID:1296 User:mysql Uptime:18814003 secs EXE:/usr/sbin/mysqld CMD:/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/$
Jan  3 03:21:01 pro1646 lfd[833]: *Suspicious Process* PID:25999 User:www-data Uptime:7237713 secs EXE:/usr/sbin/nginx CMD:nginx: worker process

How do I get rid of these warnings? I want to get important warnings to my email address but it's not possible because emails are coming non-stop...

Thanks.

Answer 1

It's necessary to add the following lines to the /etc/csf/csf.pignore file.

exe:/usr/sbin/php5-fpm
exe:/usr/sbin/nginx
exe:/usr/sbin/mysqld

Answer 2

I had added php-fpm to the csf.pignore list but later removed it. What happened was that I ignored the warnings and finally ended up in the http server being in an inaccessible state. I found nginx errors like:

2017/06/26 09:39:13 [alert] 12926#0: *110350 open socket #10 left in connection 4
2017/06/26 09:39:13 [alert] 12926#0: *110342 open socket #103 left in connection 7
2017/06/26 09:39:13 [alert] 12926#0: *110352 open socket #6 left in connection 8
2017/06/26 09:39:13 [alert] 12926#0: *110346 open socket #109 left in connection 9

These seemed to be due to a very, very bad Wordpress installation by a group of digital agency morons. I had to restart php-fpm to make sites work again. Before restarting I could see one instance of php-fpm owned by the very customer.

Having little (=no) interest in trying to repair the WP installation I will move that site to a cheapie server.