If you are getting an email like this from your server:
lfd on your.server.com: Suspicious process running under user nobody
Executable:
/usr/local/bin/memcached
Command Line (often faked in exploits):
/usr/local/bin/memcached -u root -m 16 -p 11211 -u nobody -l 127.0.0.1
In this case, it’s saying that memcached is running, but could be fake. If you know your server runs memcached, and this is a valid process, then you need to whitelist it. Use the following steps to whitelist.
- SSH to your server
- Edit /etc/csf/csf.pignore in your favorite text editor
- Add this to the bottom of the file. exe:/usr/local/bin/memcached
Once you have added the line to the file, restart CSF, and you should no longer get any email warnings about memcached
facebook
twitter
LinkedIn