Suspicious Process /wflogs/
Posted: 13 Feb 2024, 01:41
I’m getting a number of emails from CSF for “Suspicious process running under user ____” for Wordfence logs.
Command Line (often faked in exploits):
php-fpm: pool website_url
Files open by the process (if any):
/dev/null
/tmp/.ZendSem.NCrsJg (deleted)
/home/server/public_html/website_url/wp-content/wflogs/ips.php
/home/server/public_html/website_url/wp-content/wflogs/config.php
/home/server/public_html/website_url/wp-content/wflogs/attack-data.php
/home/server/public_html/website_url/wp-content/wflogs/config-synced.php
/home/server/public_html/website_url/wp-content/wflogs/config-livewaf.php
/home/server/public_html/website_url/wp-content/wflogs/config-transient.php
Network connections by the process (if any):
It’s always from the ipv6 address of the server, with a (seemingly) random port, to a data server in CA at 443. I posted this same question on the Wordfence support board and they basically blew me off.
The interesting thing is, there are multiple other sites on this same server that are not flagging these emails. Any insight here?
Command Line (often faked in exploits):
php-fpm: pool website_url
Files open by the process (if any):
/dev/null
/tmp/.ZendSem.NCrsJg (deleted)
/home/server/public_html/website_url/wp-content/wflogs/ips.php
/home/server/public_html/website_url/wp-content/wflogs/config.php
/home/server/public_html/website_url/wp-content/wflogs/attack-data.php
/home/server/public_html/website_url/wp-content/wflogs/config-synced.php
/home/server/public_html/website_url/wp-content/wflogs/config-livewaf.php
/home/server/public_html/website_url/wp-content/wflogs/config-transient.php
Network connections by the process (if any):
It’s always from the ipv6 address of the server, with a (seemingly) random port, to a data server in CA at 443. I posted this same question on the Wordfence support board and they basically blew me off.
The interesting thing is, there are multiple other sites on this same server that are not flagging these emails. Any insight here?