[CSF/LFD] Lots of LFD warning emails

[Mattie]

I have 2 CSF/LFD questions, and because they stopped I thought let's ask here!

Since I've updated from PHP 7 to 8 about half a year ago (yes I was late) I am getting these emails regularly. Sometimes not for a week and then 100 a day.

"lfd on vps.mattie-systems.nl: Suspicious process running under user xxx"

Time: Sat Oct 18 13:32:54 2025 +0200
PID: 2578243 (Parent PID:2514083)
Account: xxx
Uptime: 1166 seconds


Executable:

/usr/local/php83/sbin/php-fpm


Command Line (often faked in exploits):

php-fpm: pool xxx


Network connections by the process (if any):

tcp: 127.0.0.1:42390 -> 127.0.0.1:3306


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/home/gert/domains/xx.xx/public_html/xmlrpc.php
/home/gert/domains/xx.xx/public_html/wp-includes/html-api/class-wp-html-tag-processor.php


Memory maps by the process (if any):

5618aa400000-5618aa552000 r--p 00000000 fe:01 594 /usr/local/php83/sbin/php-fpm
5618aa600000-5618aab7a000 r-xp 00200000 fe:01 594 /usr/local/php83/sbin/php-fpm
5618aac00000-5618ab64c000 r--p 00800000 fe:01 594 /usr/local/php83/sbin/php-fpm
5618ab931000-5618aba00000 r--p 01331000 fe:01 594 /usr/local/php83/sbin/php-fpm
5618aba00000-5618aba05000 rw-p 01400000 fe:01 594 /usr/local/php83/sbin/php-fpm
5618aba05000-5618aba2e000 rw-p 00000000 00:00 0
5618ea0c9000-5618ea3f7000 rw-p 00000000 00:00 0 [heap]
5618ea3f7000-5618ea628000 rw-p 00000000 00:00 0 [heap]
7f11a4000000-7f11a4021000 rw-p 00000000 00:00 0
[...]

So, this is a user running a wordpress site. I don't really understand the problem. It seems that LFD is triggering on the MySQL connection, but I don't see why it would be suspicious. I can ignore "php-fpm" but that would render the detection useless.

Is there any way to just not have this detection for port 3306 for example. Or can anyone explain what might be wrong?

The second message just started a week ago and it s bit different:

"lfd on vps.mattie-systems.nl: Excessive resource usage: webapps (2558725 (Parent PID:2514083))"

Time: Sat Oct 18 13:35:55 2025 +0200
Account: webapps
Resource: Process Time
Exceeded: 18018 > 3600 (seconds)
Executable: /usr/local/php83/sbin/php-fpm
Command Line: php-fpm: pool webapps
PID: 2558725 (Parent PID:2514083)
Killed: No
<no further content>

Again: What is wrong here? The runtime? But how bad is this? I am guessing this is an user using roundcube or something?

Any ideas perhaps?

 

[zEitEr]

Hello,

Add the binaries in an exclude list: https://docs.directadmin.com/operation-system-level/securing/csf.html#ignoring-processes-users

 

[Mattie]

Yes I can do that, but I don't want to globally exclude php from all checks. I mean it should 100% check php for any suspicious behaviour. Or is that not how it works?

 

[Richard G]

I guess not, these are put in there by default by DA:

pexe:/usr/local/php../sbin/php-fpm
pexe:/usr/local/php../sbin/php-fpm..

Do you have those too in the csf.pignore? If not, I would add them and restart csf and lfd.

This is the complete list for php versions:

exe:/usr/selector/lsphp
exe:/usr/selector/php
exe:/usr/selector/php-cli
pexe:/opt/alt/php../usr/bin/lsphp
pexe:/opt/alt/php../usr/bin/php
pexe:/opt/alt/php../usr/bin/php-cgi
pexe:/usr/local/lsws/bin/lshttpd.*
pexe:/usr/local/php../bin/lsphp
pexe:/usr/local/php../bin/lsphp..
pexe:/usr/local/php../bin/php
pexe:/usr/local/php../bin/php-cgi
pexe:/usr/local/php../bin/php-cgi..
pexe:/usr/local/php../bin/php..
pexe:/usr/local/php../bin/php_uploadscan.sh
pexe:/usr/local/php../sbin/php-fpm
pexe:/usr/local/php../sbin/php-fpm..
pexe:/usr/local/safe-bin/fcgid...sh

 

[zEitEr]

but I don't want to globally exclude php from all checks.

You can add to the ignore list either a specific user or a process. And if you add the PHP-FPM into an ignore list, it will disable checks of all PHP-FPM processes of all existing users.