My server reports a "suspicious process" that has been running longer than expected. What is this?

From Wordfence Documentation
Jump to: navigation, search

What is the issue?

Some servers have software that notifies you about PHP processes that run longer than a specified time, and considers them to be suspicious, since most PHP pages are serving a single page. We have seen this on a few cPanel servers using ConfigServer Firewall, but not every cPanel server is set up this way. An example of the message appears below.

Why does this happen?

Wordfence's daily scans run for a longer period of time than most PHP scripts, since they need to scan a large number of your site's files, which can't be done in a short time. These scans are broken up into smaller stages due to limits set in PHP, but the time for each stage depends on your server's configuration.

How can I prevent the warnings?

On servers that are configured to show this warning, this message is most likely to occur if your server's PHP max_execution_time was set longer than the typical 30 second limit by the host. To prevent the scan process from appearing suspicious while still allowing scans to complete normally, you can set the Maximum execution time for each scan stage near the bottom of the Wordfence options page to 60 seconds, 30 seconds, or 15 seconds.

Longer settings make the scans more efficient, but depending on the server's configuration, you may need to use a lower setting to prevent these warnings. Make sure to set the limit lower than the "Uptime" line in the warning message.

It is also normal when the message shows files in wp-content/wflogs/ as "(deleted)". This occurs when updating the malware signatures used by the firewall.


Example message

Time: Mon Apr 25 14:20:36 2017 -0400
PID: 6278 (Parent PID:6223)
Account: wwwuser
Uptime: 199 seconds

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php /home/wwwuser/public_html/wp-admin/admin-ajax.php

Network connections by the process (if any):
tcp: 10.2.3.4:42827 -> 10.2.3.4:443

Files open by the process (if any):

/var/cpanel/locale/en.cdb
/dev/urandom
/home/wwwuser/public_html/wp-content/wflogs/ips.php
/home/wwwuser/public_html/wp-content/wflogs/config.tmp.hw7Mtw (deleted)
/home/wwwuser/public_html/wp-content/wflogs/attack-data.php
/tmp/sess_239534bfe451b27c1f1d319c90cd9ccf