Suspicious process running under user nobody - Executable: /usr/local/lsws/bin/lshttpd.5.3.3

#1
Hello Everyone,

we got this alert, since we are beginners we are not able to understand whether it's a possible exploit or just a false alarm, we worry about ports,, thanks in advance

Complete alert is attached
Code:
Time:    Sat Nov 10 09:18:33 2018 +0000
PID:     2377 (Parent PID:2374)
Account: nobody
Uptime:  174483 seconds


Executable:

/usr/local/lsws/bin/lshttpd.5.3.3


Command Line (often faked in exploits):

litespeed (lshttpd - #01)


Network connections by the process (if any):

tcp: 127.0.0.1:52412 -> 127.0.0.1:2082
 

Attachments

Last edited by a moderator:

lucasrolff

Member
Staff member
#5
@Lakeswimmer - I have this exact issue. What did you do to resolve? I see the previous comment about "please white list it" but what did you white list?

Thanks in advance!
In the file /etc/csf/csf.pignore you have to add pexe:/usr/local/lsws/bin/lshttpd.*, after this, please execute csf -ra to restart the csf and lfd processes.
 
#6
Hi @lucasrolff - thank you for that info. I've added it in and believe it's working. Thank you.

One more question with csf & litespeed. I'm getting a lot of "Excessive resource usage" emails as well for each user. Example:

Code:
Time:         Wed Jan  9 04:56:45 2019 -0900
Account:      sinwsjnh
Resource:     Process Time
Exceeded:     1858 > 1800 (seconds)
Executable:   /opt/cpanel/ea-php71/root/usr/bin/lsphp
Command Line: lsphp                               
PID:          18528 (Parent PID:3650)
Killed:       No
In /etc/csf/csf.pignore - would I put in exe:/opt/cpanel/ea-php71/root/usr/bin/lsphp to stop this or something else?

Thanks in advance.
 
Last edited by a moderator:

lucasrolff

Member
Staff member
#7
Hi @lucasrolff - thank you for that info. I've added it in and believe it's working. Thank you.

In /etc/csf/csf.pignore - would I put in exe:/opt/cpanel/ea-php71/root/usr/bin/lsphp to stop this or something else?

Thanks in advance.
pexe:/opt/cpanel/ea-php*/root/usr/bin/lsphp in /etc/csf/csf.pignore and then csf -ra afterwards should do the trick!
 
#9
Hi @lucasrolff - unfortunately starting today I'm getting a lot of excessive resource usage emails again. I put in exactly as you suggested in csf.pignore and restarted but here is the newest string of emails coming in:

Code:
Time:         Fri Jan 18 02:53:25 2019 -0900
Account:      dxlkfhpl
Resource:     Process Time
Exceeded:     1821 > 1800 (seconds)
Executable:   /opt/cpanel/ea-php71/root/usr/bin/lsphp
Command Line: lsphp                                 
PID:          10570 (Parent PID:10570)
Killed:       No
This is happening on every account. Thanks in advance.
 

lucasrolff

Member
Staff member
#10
Hi @lucasrolff - unfortunately starting today I'm getting a lot of excessive resource usage emails again. I put in exactly as you suggested in csf.pignore and restarted but here is the newest string of emails coming in:

Code:
Time:         Fri Jan 18 02:53:25 2019 -0900
Account:      dxlkfhpl
Resource:     Process Time
Exceeded:     1821 > 1800 (seconds)
Executable:   /opt/cpanel/ea-php71/root/usr/bin/lsphp
Command Line: lsphp                                
PID:          10570 (Parent PID:10570)
Killed:       No
This is happening on every account. Thanks in advance.
I can see I mistyped the exclude :confused:

Code:
pexe:/opt/cpanel/ea-php.*/root/usr/bin/lsphp
The above should do the trick, so the difference is to use .* instead of *.

After this, do csf -ra and it should work!
 
Top