Suspicious activity from author

Envato Customers Purchases and Subscriptions
1

Hello,
I’ve purchased a WordPress theme. The theme is full of bugs, i’ve contacted the developer and gave him access to the backend of my wp with administrator rules and now i get only suspicious activity from them. This looks like a lawsuit. Please restrict their activity and don’t let hackers sell their stuff here, here are the logs on my server after i gave them access to the backend:

 lfd on cpanel2.gmb.ro: Suspicious process running under user
seavieweforie

Time:    Thu Jun  8 08:12:43 2023 +0300
PID:     984436 (Parent PID:940074)
Account: seavieweforie
Uptime:  75 seconds


Executable:

/opt/alt/php72/usr/bin/lsphp


Command Line (often faked in exploits):

lsphp:/home3/seavieweforie/public_html/index.php


Network connections by the process (if any):

tcp: [redacted ip]:39798 -> [redacted ip]:443


Files open by the process (if any):

/dev/null
/var/log/apache2/stderr.log
/var/log/apache2/stderr.log
/dev/null
/opt/imunify360/proactive/dangerlist
/usr/share/i360-php-opts/sigs/7.5/.rules.v2
/usr/share/i360-php-opts/pd_v1.hdb
/usr/share/i360-php-opts/pd-combined-compiled


Memory maps by the process (if any):

00400000-009cd000 r-xp 00000000 fd:03 42009353
/opt/alt/php72/usr/bin/lsphp
00bcc000-00c51000 r--p 005cc000 fd:03 42009353
/opt/alt/php72/usr/bin/lsphp
00c51000-00c6e000 rw-p 00651000 fd:03 42009353
/opt/alt/php72/usr/bin/lsphp
00c6e000-00c8c000 rw-p 00000000 00:00 0
00fda000-01205000 rw-p 00000000 00:00 0
[heap]
01205000-013e3000 rw-p 00000000 00:00 0
[heap]
7f3256a00000-7f3259480000 rw-p 00000000 00:00 0
7f3259600000-7f325bc00000 rw-p 00000000 00:00 0
7f325bd37000-7f325bdb7000 rwxp 00000000 00:00 0
7f325bdb7000-7f325cc00000 rw-p 00000000 00:00 0
7f325cc00000-7f325ce00000 rw-p 00000000 00:00 0
7f325ce08000-7f325ce18000 rwxp 00000000 00:00 0
7f325ce18000-7f325d05e000 r--p 00000000 fd:05 41945110
/usr/share/i360-php-opts/sigs/7.5/.rules.v2
7f325d05e000-7f325d0de000 rw-p 00000000 00:00 0
7f325d0de000-7f325d296000 r--s 00000000 fd:0d 25167625
/var/db/nscd/hosts
7f3269534000-7f3269584000 rwxp 00000000 00:00 0
7f3269584000-7f32695b9000 r--s 00000000 fd:0d 25167623
/var/db/nscd/passwd
7f32695b9000-7f3269602000 rw-p 00000000 00:00 0
7f3269603000-7f3269627000 r--p 00000000 fd:05 126101606
/usr/share/i360-php-opts/pd_v1.hdb
7f3269627000-7f326967e000 rw-p 00000000 00:00 0
7f3269687000-7f3269688000 rw-s 00000000 00:01 3846521482
/dev/zero (deleted)
7f3269688000-7f326968e000 rw-p 00000000 00:00 0
7f326968e000-7f326969d000 r--p 00000000 fd:05 75500653
/usr/lib64/libgmp.so.10.3.2
7f326969d000-7f326970e000 r-xp 0000f000 fd:05 75500653
/usr/lib64/libgmp.so.10.3.2
7f326970e000-7f3269725000 r--p 00080000 fd:05 75500653
/usr/lib64/libgmp.so.10.3.2
7f3269725000-7f3269727000 r--p 00096000 fd:05 75500653
/usr/lib64/libgmp.so.10.3.2
7f326972d000-7f326972f000 rw-p 0002e000 fd:05 75500537
/lib64/ld-2.28.so
7fff7ac48000-7fff7ac69000 rw-p 00000000 00:00 0
[stack]
7fff7ad8f000-7fff7ad93000 r--p 00000000 00:00 0
[vvar]
7fff7ad93000-7fff7ad95000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
2

I don’t see anything inherently suspicious in those logs. It could just be a hanging/zombie process due to some technical issue.

The two IP addresses under the network connections are identical and I believe them to be your own server’s IP, so I’ve redacted them.

The heap looks fine. I removed a bunch of standard shared libraries from the output as they’re not relevant but don’t see anything suspicious. The “files open by the process” also looks fine, nothing unusual there for an lsphp process.

Edit: Upon further review of the cPanel CSF/LFD configuration, I don’t see any significant details in your logs that indicate a problem. The alert in question is generally broad and does not directly indicate a security issue. In fact, it seems easy for a developer to trigger this alert while working.

My new suggestion is to send the alert to the author and ask if they know what might have triggered it.

2 Likes
3

Looks like the PHP itself creating/updating the logs.
Apart from that, as you agreed to share the access, it’s hard to talk about anything illegal, it’s volunteer.

1 Like
4

The logs will be unrelated. The process is lsphp which is a LightSpeed instance. As such, it will naturally update the logs, access the passwd file for permission management, and such. More likely is that the developer deleted a file while it was still running, or something similar, since their PHP files seem to be streaming over the network.

1 Like