Hourly ‘suspicious process’ alerts seemingly relating to Wordfence hourly cron

  • Hi

    Since 29 August (Mon Aug 29 01:20:05 2016) I have been receiving hourly emails from my server alerting me of excessive resource useage and a suspicious process running on one of my sites. These emails seem to coincide with the wordfence_hourly_cron event.

    This is part of the message:

    Files open by the process (if any):
    /dev/urandom
    /…/wp-content/wflogs/ips.php
    /…/wp-content/wflogs/config.php (deleted)
    /…/wp-content/wflogs/attack-data.php
    /tmp/sess_2285e5ee437f7d66564972da82d6d14f (deleted)
    /…/wp-content/updraft/log.7792c728e0d9.txt
    /…/wp-content/updraft/.pureftpd-rename.24846.a41f7059 (deleted)
    /etc/pki/nssdb/cert9.db
    /etc/pki/nssdb/key4.db
    /tmp/phpXsuCFo

    Updraft is a backup plugin but it doesn’t run hourly and even when that plugin is deactivated the suspicious process message still contains the same two updraft lines shown above.

    Do you know what might be happening here?

    Any tips gratefully received.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Quarmor

    (@quarmor)

    I am having the same issue with UpdraftPlus and Wordfence for /…/wp-content/wflogs/config.php. #bump

    Mariette

    (@mariette-jackson)

    Good to know I’m not the only one!

    In the absence of any response from Wordfence, and with those suspicious process messages still continuing, I resorted to deleting Wordfence. Shame…

    Quarmor

    (@quarmor)

    Yeah I have been thinking about getting rid of Wordfence as well. Updraft is way too good to get rid of so out of the 2 Wordfence will have to go. They also make a ton of databases and I cannot figure out how to change the hourly cron they get running, if I delete it comes right back. I do not like lots of scheduled tasks and an hourly cron is just not acceptable.

    Driving me mad – I have 20+ domains emailing me every time a scan runs. I have changed the Maximum execution time to 60 and below and yet my server reports Uptime: 92 seconds.

    There is no way to pignore a php file.

    Wordfence is good but these emails are just infuriating.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hourly ‘suspicious process’ alerts seemingly relating to Wordfence hourly cron’ is closed to new replies.