Suspicious Process

[R.Rowan]

lfd keeps sending me alerts:

"Suspicious process running under user nobody"

Executable:

/usr/local/lsws/bin/lshttpd.3.3.19


Command Line (often faked in exploits):

lshttpd

Is this something I should be concerned about, or can I just tell it to ignore that directory?

 

[ffeingol]

Just add:

exe:/usr/local/lsws/bin/lshttpd.3.3.19

to your csf.pignore and then restart lfd. The script knows about httpd by defaut (apache) but it's prob. complaining about the long-running "nobody" process. The only thing to remember is you'll have to update that line ever time the LSWS version changes.