Ping a Specific Port

Question

user1821484

Asked: 2013-01-21 07:29:39 +0800 CST2013-01-21 07:29:39 +0800 CST 2013-01-21 07:29:39 +0800 CST

CSF/LFD - Suspicious processes when running nginx+php5-fpm+ Mysql

772

I am running LFD/CSF on three servers and on all servers I have the same problem since the first day when I set-up the server and installed LFD/CSF.

I have nginx + php5-fpm + MySQL installed and lfd.log file is full of warnings:

Jan  3 00:21:57 pro1646 lfd[31599]: *Suspicious Process* PID:30238 User:www-data Uptime:7300 secs EXE:/usr/sbin/php5-fpm CMD:php-fpm: pool www
Jan  3 03:21:01 pro1646 lfd[833]: *Suspicious Process* PID:1296 User:mysql Uptime:18814003 secs EXE:/usr/sbin/mysqld CMD:/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/$
Jan  3 03:21:01 pro1646 lfd[833]: *Suspicious Process* PID:25999 User:www-data Uptime:7237713 secs EXE:/usr/sbin/nginx CMD:nginx: worker process

How do I get rid of these warnings? I want to get important warnings to my email address but it's not possible because emails are coming non-stop...

Thanks.

2 Answers

Voted

user1821484 · Answer 1 · 2013-01-21T12:00:35+08:00

user1821484

2013-01-21T12:00:35+08:002013-01-21T12:00:35+08:00

It's necessary to add the following lines to the /etc/csf/csf.pignore file.

exe:/usr/sbin/php5-fpm
exe:/usr/sbin/nginx
exe:/usr/sbin/mysqld

6

karvonen · Answer 2 · 2017-06-27T02:36:49+08:00

karvonen

2017-06-27T02:36:49+08:002017-06-27T02:36:49+08:00

I had added php-fpm to the csf.pignore list but later removed it. What happened was that I ignored the warnings and finally ended up in the http server being in an inaccessible state. I found nginx errors like:

2017/06/26 09:39:13 [alert] 12926#0: *110350 open socket #10 left in connection 4
2017/06/26 09:39:13 [alert] 12926#0: *110342 open socket #103 left in connection 7
2017/06/26 09:39:13 [alert] 12926#0: *110352 open socket #6 left in connection 8
2017/06/26 09:39:13 [alert] 12926#0: *110346 open socket #109 left in connection 9

These seemed to be due to a very, very bad Wordpress installation by a group of digital agency morons. I had to restart php-fpm to make sites work again. Before restarting I could see one instance of php-fpm owned by the very customer.

Having little (=no) interest in trying to repair the WP installation I will move that site to a cheapie server.

0

CSF/LFD - Suspicious processes when running nginx+php5-fpm+ Mysql

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?