lsphp83.sock.11490.pid

H

hp2

Member
#1
#1
Sometimes I got warnings from LFD like

Code: 
Time:   Sat May 25 13:57:30 2024 +0700
File:   /tmp/lshttpd/lsphp83.sock.11490.pid

Reason: Script, starts with #!
Owner:  apache:apache (989:989)
Action: No action taken
I tried to locate pid 11490 with ps aux, but no process with that ID. In /tmp/lshttpd, there are multiple other .pid files, but only some of them generated warnings. I assume that LFD found #! starting, and thought might be it's a hacking script, but how to verify, and find out which account generated that file?

Thank you.
 
Cold-Egg

Cold-Egg

Administrator
#2
#2
If nothing is found from the log, then you can consider customizing the socket name per virtual host, then you will know where it comes from.
 
H

hp2

Member
#5
#5
I don't know how to customize the socket name, but I do differently.
1. Customize the OLS log, insert the PID.
2. Using lsof to log all the socket processes.
3. When I get warning with socket ID, I search in the log file, get a bunch of PIDs.
4. With those PIDs and the timestamp from the warning, I search in OLS domain log /var/log/httpd/domains/

I then get some results. However, those are "normal" webpage requests to CSS, JS files and in different domains. Manually check each file, some old files from a few years ago, some new files, but nothing seems to be wrong.

Is there any other way to find out what is happening?
 
You must log in or register to reply here.
Top