lfd on server.com Suspicious process running under user cpanelroundcube

Executable:/usr/local/cpanel/3rdparty/bin/php-cgiCommand Line (often faked in exploits):/usr/local/cpanel/3rdparty/bin/php-cgi -c /usr/local/cpanel/3rdparty/etc/roundcube /usr/local/cpanel/base/3rdparty/roundcube/index.php

Network connections by the process (if any):
tcp: 127.0.0.1:48277 -> 127.0.0.1:143

Solution 
======
 vi /etc/csf/csf.pignore
And add the below line
pcmd:/usr/local/cpanel/3rdparty/bin/php-cgi -c /usr/local/cpanel/3rdparty/etc/roundcube /usr/local/cpanel/base/3rdparty/roundcube/index.php

Restart CSF 

csf -r 

Leave a Reply

Your email address will not be published. Required fields are marked *