lfd Suspicious process running under user nobody

[devinh]

my whm version: 100.0.7
apache+nginx+npm+php-fpm

I am getting hundredes of alert email from ConfigServer Security & Firewall - csf v14.15 as follows

Time: Thu Jan 27 20:29:02 2022 +0530
PID: 2656 (Parent PID:31208)
Account: nobody
Uptime: 92 seconds


Executable:

/usr/sbin/nginx


Command Line (often faked in exploits):

nginx: worker process


Network connections by the process (if any):

tcp: server ip:443 -> 132.154.107.77:47762
tcp: server ip:443 -> 157.35.73.99:46326
tcp: server ip:443 -> 157.34.232.147:42008
tcp: server ip:443 -> 157.36.140.4:34246
tcp: server ip:443 -> 157.42.237.66:37784
tcp: server ip:443 -> 103.80.57.110:61627
tcp: server ip:443 -> 157.41.144.67:39656
tcp: server ip:443 -> 116.71.6.100:39138
tcp: server ip:443 -> 116.71.6.100:33499
tcp: server ip:443 -> 106.207.209.83:38060
tcp: server ip:443 -> 106.207.209.83:38062


Files open by the process (if any):

/dev/null
/dev/null
/var/log/nginx/error.log
/var/log/nginx/error.log
/var/log/nginx/access.log
anon_inode:[eventpoll]
anon_inode:[eventfd]
anon_inode:[eventfd]


Memory maps by the process (if any):

560246222000-560246420000 r-xp 00000000 fd:01 1136988 /usr/sbin/nginx
560246620000-560246627000 r--p 001fe000 fd:01 1136988 /usr/sbin/nginx
560246627000-560246649000 rw-p 00205000 fd:01 1136988 /usr/sbin/nginx
560246649000-560246669000 rw-p 00000000 00:00 0
560247701000-560248e7b000 rw-p 00000000 00:00 0 [heap]
7f52e1969000-7f52e2369000 rw-s 00000000 00:04 2458603 /dev/zero (deleted)
7f52e2369000-7f52e2d69000 rw-s 00000000 00:04 2458602 /dev/zero (deleted)
7f52e2d69000-7f52e3769000 rw-s 00000000 00:04 2458601 /dev/zero (deleted)
7f52e3769000-7f52e3775000 r-xp 00000000 fd:01 310614 /usr/lib64/libnss_files-2.17.so
7f52e3775000-7f52e3974000 ---p 0000c000 fd:01 310614 /usr/lib64/libnss_files-2.17.so
7f52e3974000-7f52e3975000 r--p 0000b000 fd:01 310614 /usr/lib64/libnss_files-2.17.so
7f52e3975000-7f52e3976000 rw-p 0000c000 fd:01 310614 /usr/lib64/libnss_files-2.17.so
7f52e3976000-7f52e397c000 rw-p 00000000 00:00 0
7f52e397c000-7f52e3980000 r-xp 00000000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so
7f52e3980000-7f52e3b80000 ---p 00004000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so
7f52e3b80000-7f52e3b81000 r--p 00004000 fd:01 239182168 /usr/lib64/nginx/modules/ngx_http_pipelog_module.so

and more lines like these, I edited firewall pignore file from whm and added following lines

127.0.0.1
Include /etc/csf/cpanel.comodo.ignore
Include /etc/csf/cpanel.ignore
exe:/usr/libexec/dovecot/pop3
exe:/usr/libexec/dovecot/imap
exe:/usr/libexec/dovecot/lmtp
exe:/usr/local/libexec/dovecot/pop3
exe:/usr/local/libexec/dovecot/pop3-login
exe:/usr/local/libexec/dovecot/imap
exe:/usr/local/libexec/dovecot/imap-login
exe:/usr/libexec/dovecot/stats
exe:/usr/local/bin/freshclam
exe:/usr/libexec/dovecot/managesieve-login
exe:/usr/local/bin/clamd
exe:/usr/share/cagefs-skeleton/usr/selector/lsphp
exe:/usr/selector/lsphp
exe:/usr/local/bin/lsphp
pexe:/usr/local/php../bin/php_uploadscan\.sh
pexe:/opt/alt/php../usr/bin/php-cgi
pexe:/usr/local/php../sbin/php-fpm..
pexe:/usr/local/php../bin/php-cgi..
pexe:/usr/local/php../bin/php..
pexe:/opt/alt/php../usr/bin/lsphp
exe:/usr/sbin/pure-ftpd
exe:/usr/local/bin/pureftpd_uploadscan.sh
exe:/usr/selector/php
exe:/usr/selector/php-cli
exe:/usr/sbin/nginx
exe:/usr/sbin/proxyexec
exe:/usr/sbin/nrpe
pexe:/usr/local/safe-bin/fcgid..\.sh
exe:/sbin/rpcbind
exe:/sbin/rpc.statd
exe:/usr/sbin/rsyslogd
exe:/usr/sbin/atd
exe:/usr/bin/wget
exe:/usr/sbin/snmpd
exe:/usr/bin/memcached
exe:/bin/gzip
exe:/bin/tar
exe:/usr/bin/dbus-daemon
exe:/sbin/rpcbind
exe:/usr/lib/polkit-1/polkitd
exe:/usr/sbin/avahi-daemon
pexe:/usr/sbin/nginx
Executable:
/usr/sbin/nginx

still I am getting alert messages, is it any problem, or is it ok? if ok then how to stop altert emails, thanks in advance..

 

[ffeingol]

Your syntax looks incorrect. You'd just want:

exe:/usr/sbin/nginx

And then run

csf -ra

To restart CSF and LFD.

pexec is looking for a Perl regular expression. Executable is not a parameter, it's just exe.

 

[devinh]

exe:/usr/sbin/nginx
also in pignore file in middle of lists, but still getting emails, should I edit via ssh? can't I use whm user interface?

 

[ffeingol]

It does not matter if you do it via the WHM interface or SSH. Make sure that the "x" in nginx is the last character, and you don't have spaces etc. after it. I've see that mess it up.

 

[cPRex]

Hey there! It's important to note that cPanel doesn't create or distribute the CSF firewall tool, so if that isn't behaving how you are expecting it would be best to reach out to them directly at Technical Support

With your situation, adding the process to the ignore list like @ffeingol outlined will take care of the issue. Using either the command line or WHM will work just the same as long as the process is formatted correctly.