Ignore a Suspicious Process/TCP Connection

[osmanbsd]

Hi Everyone,

First of all thanks a lot for this wonderful product.

I am having issue on a server where I have memcached running for a VBulletin forum. I have put an entry for memcached process in csf.pignore file but I think it has nothing to do with the alerts I am getting relating to memcahced TCP connections

Code: Select all

Executable:
 /usr/bin/php
 
Command Line (often faked in exploits):
 /usr/bin/php /home/xxxx/public_html/vb/vbseo.php
 
Network connections by the process (if any):
 tcp: 127.0.0.1:57479 -> 127.0.0.1:11211

Any idea how can I put any process on ignore based on TCP port or any other idea?
Thanks a lot for reading.

Regards
usman

[Sergio]

Try ignoring by user, edit cxs.pignore and add:
user:xxxx

[osmanbsd]

Hi,

Thanks a lot for your reply, but I can not do this as this is the main and most important website on server which is running under suphp.

Regards
usman

[Sergio]

You couldn't use csf.pignore with IPs, you have to set a cmd, exe or user. If you can use user, then try for cmd, like this:
cmd:/home/xxxx/public_html/vb/vbseo.php
this will ignore the process done by vbseo.php