This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

My server reports a "suspicious process" that has been running longer than expected. What is this?

From Wordfence Documentation
Revision as of 02:08, 6 April 2017 by WFMattr (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

What is the issue?

Some servers have software that notifies you about PHP processes that run longer than a specified time, and considers them to be suspicious, since most PHP pages are serving a single page. We have seen this on a few cPanel servers using ConfigServer Firewall, but not every cPanel server is set up this way. An example of the message appears below.

Why does this happen?

Wordfence's daily scans run for a longer period of time than most PHP scripts, since they need to scan a large number of your site's files, which can't be done in a short time. These scans are broken up into smaller stages due to limits set in PHP, but the time for each stage depends on your server's configuration.

How can I prevent the warnings?

On servers that are configured to show this warning, this message is most likely to occur if your server's PHP max_execution_time was set longer than the typical 30 second limit by the host. To prevent the scan process from appearing suspicious while still allowing scans to complete normally, you can set the Maximum execution time for each scan stage near the bottom of the Wordfence options page to 60 seconds, 30 seconds, or 15 seconds. Longer settings make the scans more efficient, but depending on the server's configuration, you may need to use a lower setting to prevent these warnings. Make sure to set the limit lower than the "Uptime" line in the warning message.


Example message

Time: Mon Apr 25 14:20:36 2017 -0400
PID: 6278 (Parent PID:6223)
Account: wwwuser
Uptime: 199 seconds

Executable:
/usr/bin/php

Command Line (often faked in exploits):
/usr/bin/php /home/wwwuser/public_html/wp-admin/admin-ajax.php

Network connections by the process (if any):
tcp: 10.2.3.4:42827 -> 10.2.3.4:443

Files open by the process (if any):

/var/cpanel/locale/en.cdb
/dev/urandom
/home/wwwuser/public_html/wp-content/wflogs/ips.php
/home/wwwuser/public_html/wp-content/wflogs/config.tmp.hw7Mtw (deleted)
/home/wwwuser/public_html/wp-content/wflogs/attack-data.php
/tmp/sess_239534bfe451b27c1f1d319c90cd9ccf