Csf firewall - lfd suspicious process: nginx, php5-fpm, and mysqld

[techairlines]

I'm using an unmanaged VPS running nginx and the ConfigServer firewall. I'm receiving thousands of notification emails about suspicious processes: nginx, php5-fpm, and mysqld, three of the most important services running.

The root mail file reaches over 2.5 million lines each week. I would like to receive actual warnings and not these, which I assume are false positives.

I found a thread on their forums telling me to add some lines to the configuration so these three processes are ignored:

exe:/usr/sbin/php5-fpm
exe:/usr/sbin/nginx
exe:/usr/sbin/mysqld

Ignoring nginx, php5-fpm, and mysqld do stop the warnings, however, CSF's readme file says "Don't list the paths to perl or php as this will prevent detection of suspicious web scripts.", and those lines do exactly that (or am I wrong)?

Time:    Fri Feb 22 08:52:12 2013 +0400
PID:     1180 (Parent PID:1178)
Account: -username hidden-
Uptime:  3645 seconds


Executable:

/usr/sbin/php5-fpm


Command Line (often faked in exploits):

php-fpm: pool www                                         


Network connections by the process (if any):

tcp: 127.0.0.1:9000 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]
anon_inode:[eventpoll]

Memory maps by the process (if any):

-very long list here-

Time:    Fri Feb 22 08:49:12 2013 +0400
PID:     14249 (Parent PID:14220)
Account: www-data
Uptime:  333542 seconds


Executable:

/usr/sbin/nginx


Command Line (often faked in exploits):

nginx: worker process


Network connections by the process (if any):

tcp: 0.0.0.0:80 -> 0.0.0.0:0

Files open by the process (if any):

/dev/null
/dev/null
/var/log/nginx/error.log
/proc/26540/auxv
/proc/14220/auxv
anon_inode:[eventpoll]
anon_inode:[eventfd]
/var/log/nginx/access.log
/var/log/nginx/error.log
/home/-hidden-/public_html/-hidden-/log/access.log

This is again followed by a very long list of memory maps.

Time:    Fri Feb 22 08:49:12 2013 +0400
PID:     20686 (Parent PID:20371)
Account: mysql
Uptime:  1122013 seconds


Executable:

/usr/sbin/mysqld


Command Line (often faked in exploits):

/usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306


Network connections by the process (if any):

tcp: 127.0.0.1:3306 -> 0.0.0.0:0

That is followed by an even longer list of files including /var/lib/mysql/-database_name-/-wordpress_prefix-_terms.MYI

Anyone know what's going on here and can suggest a fix? Is ignoring the processes the right way to go? Thanks so much.

(I originally posted this on the CSF Forums: http://forum.configserver.com/viewtopic.php?f=6&t=6402 but received no reply after a week)

 

[Skizzerz]

I would do the ignore based on user id rather than executable path. I don't remember the syntax offhand however, but that would let you (assuming php-fpm is like cgi where it executes as the user who owns the script) ignore system processes while still catching user processes.

My other recommendation is to disable csf's auto upgrader; the developers have proven time and again that they don't test anything before releasing the update (switching from state to conntrack even though conntrack isn't supported by default on openvz, the "deferred" login failure blocking which creates tons of false positive IP blocks from people leaving cpanel's webmail open in the browser, etc.). Always look through the release notes before applying an upgrade to ensure that it won't just straight-up break your system. Alternatively, abandon csf entirely