lfd on server: Suspicious process running under user userX

ASUS

ASUS

Verified User
Joined
Oct 12, 2022
Messages
23
Today, I got a lfd mail report and tell me:
Executable:

/usr/bin/perl


Command Line (often faked in exploits):

spamd child
Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/bin/spamd
/home/userX/.razor/razor-agent.log
Click to expand...

but this userX is a server's mail report user, I dont want to ban it, what should I do?
Will lfd ban this userX forever or it just waning me to check if? thanks

Thank you so much
 
ASUS said:
but this userX is a server's mail report user
Click to expand...
You can just disable the perl check if you want.

In the /etc/csf/csf.pignore file add this line:
exe:/usr/bin/perl
and restart csf and lfd.

However this would remove the perl check completely, you can also use a regex in there, but I'm not good with regex.
If you can trust this user, you could also set this user to ignore.
user:userX
and restart csf and lfd.
 
Richard G said:
You can just disable the perl check if you want.

In the /etc/csf/csf.pignore file add this line:
exe:/usr/bin/perl
and restart csf and lfd.

However this would remove the perl check completely, you can also use a regex in there, but I'm not good with regex.
If you can trust this user, you could also set this user to ignore.
user:userX
and restart csf and lfd.
Click to expand...
Thank you for your help(y)
 
You must log in or register to reply here.
Back
Top