0

I have csf installed on Debian server which uses nginx+php5-fpm and see a lot of these

lfd[23293]: Suspicious Process PID:16998 PPID:16122 User:www-data Uptime:824 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
lfd[23293]: Suspicious Process PID:17053 PPID:16122 User:www-data Uptime:822 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
lfd[23293]: Suspicious Process PID:17113 PPID:16122 User:www-data Uptime:818 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
lfd[23293]: Suspicious Process PID:17114 PPID:16122 User:www-data Uptime:818 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www

in /var/log/lfd.log While the server load is strangely high (+100) and ldf frequently bounce top on cpu usage list. I am wondering whether this signals some attack vector and if so how to counter it?

alfish
  • 3,027
  • 15
  • 45
  • 68

2 Answers2

1

While your suspicion can be legitimately addressed on this site, the solution to your problem is more suited for SuperUser, or, better, ServerFault.

Usually, this is nothing to worry about, nobody is attacking you. This is a typical ConfigServer Security Firewall LDF false-positive. With each connection, a new php5-fpm instance is spawned, that's why you're seeing so many entries.

To solve this, just add exe:/usr/sbin/php5-fpm to your /etc/cfs/cfs.pignore

.

Community
  • 1
Adi
  • 130
  • 1
  • 10
0

I traditionally add these lines to every /etc/csf/csf.pignore file of server I setup:

# sineld
exe:/usr/sbin/php5-fpm
exe:/usr/sbin/nginx
exe:/usr/sbin/mysqld
exe:/usr/bin/redis-server
exe:/sbin/rpcbind
exe:/usr/sbin/dnsmasq
exe:/sbin/rpc.statd
Sinan Eldem
  • 101
  • 2