Skip to main content

Process Analysis

The Process Analysis module is a component of BitNinja’s security stack that monitors and inspects running processes on a server to detect suspicious activity, malicious scripts, or anomalous execution behaviors. It acts as a behavioral monitoring layer complementing signature-based and file-based malware detection.

  • Enable: bitninjacli --module=ProcessAnalysis --enabled

  • Disable: bitninjacli --module=ProcessAnalysis --disabled

Overview

It analyzes real-time process execution patterns, detecting abnormal or potentially malicious operations.

Main goals:

  • Identify malware execution patterns even if files have been obfuscated or renamed.
  • Detect PHP CLI misuse (e.g. php -r inline code execution).
  • Catch binary payload executions.
  • Support exclusions for trusted processes and users to reduce false positives.
  • Enable configuration through CloudConfig for centralized control.

Logs

The logs can be located under the following path:

/var/log/bitninja-process-analysis/process_analysis.log

Configuration File

The configuration file can be found at:

/etc/bitninja/ProcessAnalysis/config.ini

Default configuration example:

[core]
excluded_commands[]='magento .*cron:run'
excluded_commands[]='php.*artisan '
excluded_commands[]='wp-cron.php'
excluded_commands[]='wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'
excluded_users[]='bitninja'
excluded_users[]='psaadm'
excluded_users[]='root'
excluded_users[]='wp-toolkit'
is_enabled_auditd=1
module_enabled=0
process_names[]='/bin/php'
process_names[]='/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php54/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php54/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php55/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php55/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php56/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php56/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php70/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php70/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php71/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php71/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php72/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php72/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php73/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php73/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php74/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php74/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php80/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php80/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php81/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php81/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php82/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php82/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php83/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php83/root/usr/bin/php-cgi'
process_names[]='/opt/cpanel/ea-php84/root/usr/bin/php'
process_names[]='/opt/cpanel/ea-php84/root/usr/bin/php-cgi'
process_names[]='/opt/plesk/php/5.3/bin/php'
process_names[]='/opt/plesk/php/5.4/bin/php'
process_names[]='/opt/plesk/php/5.5/bin/php'
process_names[]='/opt/plesk/php/5.6/bin/php'
process_names[]='/opt/plesk/php/7.0/bin/php'
process_names[]='/opt/plesk/php/7.1/bin/php'
process_names[]='/opt/plesk/php/7.2/bin/php'
process_names[]='/opt/plesk/php/7.3/bin/php'
process_names[]='/opt/plesk/php/7.4/bin/php'
process_names[]='/opt/plesk/php/8.0/bin/php'
process_names[]='/opt/plesk/php/8.1/bin/php'
process_names[]='/opt/plesk/php/8.2/bin/php'
process_names[]='/opt/plesk/php/8.3/bin/php'
process_names[]='/opt/plesk/php/8.4/bin/php'
process_names[]='/usr/bin/lsphp'
process_names[]='/usr/bin/php'
process_names[]='/usr/bin/php-cgi'
process_names[]='/usr/bin/php5.3'
process_names[]='/usr/bin/php5.4'
process_names[]='/usr/bin/php5.5'
process_names[]='/usr/bin/php5.6'
process_names[]='/usr/bin/php7.0'
process_names[]='/usr/bin/php7.1'
process_names[]='/usr/bin/php7.2'
process_names[]='/usr/bin/php7.3'
process_names[]='/usr/bin/php7.4'
process_names[]='/usr/bin/php8.0'
process_names[]='/usr/bin/php8.1'
process_names[]='/usr/bin/php8.2'
process_names[]='/usr/bin/php8.3'
process_names[]='/usr/bin/php8.4'
process_names[]='/usr/local/bin/lsphp'
process_names[]='/usr/local/bin/php'
process_names[]='/usr/local/bin/php-cgi'
process_names[]='/usr/local/cpanel/3rdparty/perl/536/bin/perl'
process_names[]='/usr/local/lsws/lsphp53/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp54/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp55/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp56/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp70/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp71/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp72/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp73/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp74/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp80/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp81/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp82/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp83/bin/lsphp'
process_names[]='/usr/local/lsws/lsphp84/bin/lsphp'
process_names[]='/usr/local/php5.3/bin/php'
process_names[]='/usr/local/php5.4/bin/php'
process_names[]='/usr/local/php5.5/bin/php'
process_names[]='/usr/local/php5.6/bin/php'
process_names[]='/usr/local/php7.0/bin/php'
process_names[]='/usr/local/php7.1/bin/php'
process_names[]='/usr/local/php7.2/bin/php'
process_names[]='/usr/local/php7.3/bin/php'
process_names[]='/usr/local/php7.4/bin/php'
process_names[]='/usr/local/php8.0/bin/php'
process_names[]='/usr/local/php8.1/bin/php'
process_names[]='/usr/local/php8.2/bin/php'
process_names[]='/usr/local/php8.3/bin/php'
process_names[]='/usr/local/php8.4/bin/php'
process_names[]='/usr/sbin/php'
process_names[]='/usr/sbin/php-cgi'