Help Me Understand This “Suspicious Process”

  • I moved my site to a new VPS last night, and I woke up this morning to find many (over 100 as of this writing) alerts of “Suspicious Processes” like this:

    lfd on <hostname>: Suspicious process running under user <username>

    Executable:

    /usr/local/lsws/fcgi-bin/lsphp-5.2.13

    Command Line (often faked in exploits):

    lsphp5:/home/tgj/public_html/xmlrpc.php

    Network connections by the process (if any):

    tcp: <server_IP>:<different_port_for_each_alert> -> <different_IP_for_each_alert>:80

    Files open by the process (if any):

    (deleted) /tmp/ZCUDcxZRG2
    Memory maps by the process (if any):

    (several lines of text follows)

    In each one of these alerts the local port is different, and the remote IP is also different (some of these are: 206.214.221.177, 74.53.137.66, 174.132.156.252, 66.96.147.110)

    Anyone knows what this is about?

    I’ve just contacted my host, but since the common file in all these alerts (xmlrpc.php) is a WordPress file, I’m posting it here too to see if anyone knows anything about this.

    Thanks.

    P.S.: The site is currently running WP Version 2.8.4. Upgrade is scheduled for this weekend — a plugin which the site is heavily dependent on is broken under 2.9, and I’m getting a fix delivered this weekend. Also the VPS runs LiteSpeed instead of Apache.

Viewing 1 replies (of 1 total)

  • Not sure on your question, but if you don’t use the publishing API you can delete the xmlrpc file.

Viewing 1 replies (of 1 total)
  • The topic ‘Help Me Understand This “Suspicious Process”’ is closed to new replies.