Suspicious Process

#1
lfd keeps sending me alerts:
"Suspicious process running under user nobody"

Executable:

/usr/local/lsws/bin/lshttpd.3.3.19


Command Line (often faked in exploits):

lshttpd
Is this something I should be concerned about, or can I just tell it to ignore that directory?
 
Last edited:

ffeingol

Well-Known Member
#2
Just add:

exe:/usr/local/lsws/bin/lshttpd.3.3.19

to your csf.pignore and then restart lfd. The script knows about httpd by defaut (apache) but it's prob. complaining about the long-running "nobody" process. The only thing to remember is you'll have to update that line ever time the LSWS version changes.
 
Top