ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://www.forum.configserver.com/

Trying to ignore a Perl script, but still getting alerts

https://www.forum.configserver.com/viewtopic.php?t=13028

Page 1 of 1

Trying to ignore a Perl script, but still getting alerts

Posted: 12 Dec 2023, 20:28
by GoWilkes
I've been getting a ton of "suspicious process" alerts lately about a Perl script that hasn't been modified since 2020. So I'm pretty sure these are false alerts.

The email says:
Time: Tue Dec 12 15:18:14 2023 -0500
PID: 19935 (Parent PID:23922)
Account: nobody
Uptime: 99 seconds


Executable:

/usr/bin/perl


Command Line (often faked in exploits):

/usr/bin/perl /home/example/public_html/cgi-bin/cart.cgi
So I added this to csf.pignore via WHM, and of course let WHM restart lfd:

Code: Select all

pexe:/home/example/public_html/cgi-bin/cart\.cgi
I'm still getting emailed alerts on it, though.

The code looks right to me, so what have I done wrong?

Re: Trying to ignore a Perl script, but still getting alerts

Posted: 13 Dec 2023, 03:36
by Sergio
Try this instead:

Code: Select all

 cmd:/usr/bin/perl /home/example/public_html/cgi-bin/cart.cgi
Sergio

Re: Trying to ignore a Perl script, but still getting alerts

Posted: 13 Dec 2023, 21:17
by GoWilkes
That worked, thanks :-)

Re: Trying to ignore a Perl script, but still getting alerts

Posted: 14 Dec 2023, 02:26
by Sergio
Great to know it worked for you, your welcome.
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited