Scan for PHP processes

  • Resolved JorritSchippers

    (@jorritschippers)


    4 months ago

    I used WordFence to clean three WordPress installations on the same server. Even though the cleaning process went great, I kept receiving reports via BitNinja that the server was making HTTP requests as part of attacks to other servers.

    After search for a long time, I discovered that two of the three sites had spawned a PHP process that was listening to a high port for instructions from some C&C server. These processes were running for a very long time, since February. Both processes were created for a PHP file called cron.php. This file was no longer available, so I don’t know the contents.

    My suggestion is that WordFence introduces some kind of scan for PHP processes executing a script while running under the same user as the PHP process that runs the website.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @jorritschippers, thanks for your suggestion.

    I have passed that forward to the team for further discussion, although we can’t comment on the feasibility or progress of development requests here on the forums. Everything put forward is discussed, especially if it’ll benefit the rest a high number of Wordfence customers.

    I can mention that many hosts will disable PHP’s process-oriented functions, or the ability to run external shell commands for security reasons but we will look into it. You may find that Wordfence > All Options > General Options Scan files outside your WordPress installation?could help identify malware if it’s not in the WordPress folder. If a file is present that doesn’t match an original repository plugin or WordPress file inside your site’s directory, we also look for and flag those already.

    Many thanks,
    Peter.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.