Suspicious activity from author

I’ve purchased a WordPress theme. The theme is full of bugs, i’ve contacted the developer and gave him access to the backend of my wp with administrator rules and now i get only suspicious activity from them. This looks like a lawsuit. Please restrict their activity and don’t let hackers sell their stuff here, here are the logs on my server after i gave them access to the backend:

 lfd on Suspicious process running under user

Time:    Thu Jun  8 08:12:43 2023 +0300
PID:     984436 (Parent PID:940074)
Account: seavieweforie
Uptime:  75 seconds



Command Line (often faked in exploits):


Network connections by the process (if any):

tcp: [redacted ip]:39798 -> [redacted ip]:443

Files open by the process (if any):


Memory maps by the process (if any):

00400000-009cd000 r-xp 00000000 fd:03 42009353
00bcc000-00c51000 r--p 005cc000 fd:03 42009353
00c51000-00c6e000 rw-p 00651000 fd:03 42009353
00c6e000-00c8c000 rw-p 00000000 00:00 0
00fda000-01205000 rw-p 00000000 00:00 0
01205000-013e3000 rw-p 00000000 00:00 0
7f3256a00000-7f3259480000 rw-p 00000000 00:00 0
7f3259600000-7f325bc00000 rw-p 00000000 00:00 0
7f325bd37000-7f325bdb7000 rwxp 00000000 00:00 0
7f325bdb7000-7f325cc00000 rw-p 00000000 00:00 0
7f325cc00000-7f325ce00000 rw-p 00000000 00:00 0
7f325ce08000-7f325ce18000 rwxp 00000000 00:00 0
7f325ce18000-7f325d05e000 r--p 00000000 fd:05 41945110
7f325d05e000-7f325d0de000 rw-p 00000000 00:00 0
7f325d0de000-7f325d296000 r--s 00000000 fd:0d 25167625
7f3269534000-7f3269584000 rwxp 00000000 00:00 0
7f3269584000-7f32695b9000 r--s 00000000 fd:0d 25167623
7f32695b9000-7f3269602000 rw-p 00000000 00:00 0
7f3269603000-7f3269627000 r--p 00000000 fd:05 126101606
7f3269627000-7f326967e000 rw-p 00000000 00:00 0
7f3269687000-7f3269688000 rw-s 00000000 00:01 3846521482
/dev/zero (deleted)
7f3269688000-7f326968e000 rw-p 00000000 00:00 0
7f326968e000-7f326969d000 r--p 00000000 fd:05 75500653
7f326969d000-7f326970e000 r-xp 0000f000 fd:05 75500653
7f326970e000-7f3269725000 r--p 00080000 fd:05 75500653
7f3269725000-7f3269727000 r--p 00096000 fd:05 75500653
7f326972d000-7f326972f000 rw-p 0002e000 fd:05 75500537
7fff7ac48000-7fff7ac69000 rw-p 00000000 00:00 0
7fff7ad8f000-7fff7ad93000 r--p 00000000 00:00 0
7fff7ad93000-7fff7ad95000 r-xp 00000000 00:00 0
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0

I don’t see anything inherently suspicious in those logs. It could just be a hanging/zombie process due to some technical issue.

The two IP addresses under the network connections are identical and I believe them to be your own server’s IP, so I’ve redacted them.

The heap looks fine. I removed a bunch of standard shared libraries from the output as they’re not relevant but don’t see anything suspicious. The “files open by the process” also looks fine, nothing unusual there for an lsphp process.

Edit: Upon further review of the cPanel CSF/LFD configuration, I don’t see any significant details in your logs that indicate a problem. The alert in question is generally broad and does not directly indicate a security issue. In fact, it seems easy for a developer to trigger this alert while working.

My new suggestion is to send the alert to the author and ask if they know what might have triggered it.


Looks like the PHP itself creating/updating the logs.
Apart from that, as you agreed to share the access, it’s hard to talk about anything illegal, it’s volunteer.

1 Like

The logs will be unrelated. The process is lsphp which is a LightSpeed instance. As such, it will naturally update the logs, access the passwd file for permission management, and such. More likely is that the developer deleted a file while it was still running, or something similar, since their PHP files seem to be streaming over the network.

1 Like